diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 284f6f33a1..aad198c643 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -210,9 +210,7 @@ "template_folder": "_themes" } ], - "notification_subscribers": [ - "elizapo@microsoft.com" - ], + "notification_subscribers": [], "sync_notification_subscribers": [ "dstrome@microsoft.com" ], diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 04826145f2..2c59b009f8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,15 @@ { "redirections": [ + { + "source_path": "windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md", + "redirect_url": "/windows/security/windows/security/identity-protection/hello-for-business/webauthn-apis", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/manage-windows-mixed-reality.md", + "redirect_url": "/windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/browserfavorite-csp.md", "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3", @@ -6507,8 +6517,8 @@ }, { "source_path": "windows/access-protection/access-control/dynamic-access-control.md", - "redirect_url": "/windows/security/identity-protection/access-control/dynamic-access-control", - "redirect_document_id": false + "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", + "redirect_document_id": true }, { "source_path": "windows/access-protection/access-control/local-accounts.md", @@ -19564,6 +19574,76 @@ "source_path": "education/windows/get-minecraft-device-promotion.md", "redirect_url": "/education/windows/get-minecraft-for-education", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune", + "redirect_document_id": false + }, + { + "source_path": "smb/cloud-mode-business-setup.md", + "redirect_url": "https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog", + "redirect_document_id": false + }, + { + "source_path": "smb/index.md", + "redirect_url": "https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog", + "redirect_document_id": false + }, + { + "source_path": "windows/whats-new/contribute-to-a-topic.md", + "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", + "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/security-principals.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-principals", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/active-directory-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-default-user-accounts", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/microsoft-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-microsoft-accounts", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/service-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-service-accounts", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/active-directory-security-groups.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-groups", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/special-identities.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-special-identities-groups", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md", + "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", + "redirect_document_id": false } ] } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3bf0503686..e09fdb10e8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,7 +2,7 @@ Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs. This page covers the basic steps for editing our technical documentation. -For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/). +For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://docs.microsoft.com/contribute/). ## Sign a CLA @@ -19,16 +19,16 @@ We've tried to make editing an existing, public file as simple as possible. ### To edit a topic -1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update. +1. Browse to the [Microsoft Docs](https://docs.microsoft.com/) article that you want to update. > **Note**
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main). 1. Then select the **Pencil** icon. - ![Microsoft Docs Web, showing the Edit This Document link.](images/contribute-link.png) + ![Screenshot showing the Pencil icon to edit a published article.](images/contribute-link.png) - If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs). + If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [MicrosoftDocs organization on GitHub](https://github.com/MicrosoftDocs). > **TIP**
> View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article. @@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible. ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png) -1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation. +1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation. 1. Make your suggested change, and then select **Preview changes** to make sure it looks correct. @@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th - You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft. - You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/). -- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference). +- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference). diff --git a/bcs/TOC.yml b/bcs/TOC.yml deleted file mode 100644 index 981fe6d622..0000000000 --- a/bcs/TOC.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Index - href: index.md diff --git a/bcs/breadcrumb/toc.yml b/bcs/breadcrumb/toc.yml deleted file mode 100644 index 61d8fca61e..0000000000 --- a/bcs/breadcrumb/toc.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md index 25f58fb19f..a8f90c3697 100644 --- a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md +++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md @@ -5,7 +5,7 @@ Starting with Windows 10, version 1511 (also known as the Anniversary Update), y ### Site list xml file -This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. ```xml @@ -47,4 +47,4 @@ This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypf -``` \ No newline at end of file +``` diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md index 0a0f72e971..21e15f6d8d 100644 --- a/browsers/includes/helpful-topics-include.md +++ b/browsers/includes/helpful-topics-include.md @@ -35,4 +35,4 @@ ms.topic: include - [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) - [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) -- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 17fad3f1dd..05e93f6e25 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -6,9 +6,9 @@ metadata: title: Internet Explorer 11 documentation description: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need. ms.topic: landing-page - author: lizap - ms.author: elizapo - ms.date: 07/06/2020 + author: aczechowski + ms.author: aaroncz + ms.date: 07/29/2022 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new @@ -38,14 +38,6 @@ landingContent: url: https://www.microsoft.com/download/details.aspx?id=49974 - text: Cumulative security updates for Internet Explorer 11 url: https://www.catalog.update.microsoft.com/Search.aspx?q=cumulative%20security%20update%20for%20internet%20explorer%2011 - - linkListType: learn - links: - - text: Getting started with Windows 10 for IT professionals - url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681 - - text: 'Windows 10: Top Features for IT Pros' - url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965 - - text: 'Virtual Lab: Enterprise Mode' - url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02 # Card - title: Plan @@ -62,8 +54,6 @@ landingContent: url: ./ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md - text: Manage Windows upgrades with Upgrade Readiness url: /windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness - - text: 'Demo: Plan and manage Windows 10 upgrades and feature updates with' - url: https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Windows-Analytics-Plan-and-manage-Windows-10-upgrades-and/td-p/98639 - linkListType: how-to-guide links: - text: Turn on Enterprise Mode and use a site list @@ -125,11 +115,7 @@ landingContent: - text: Out-of-date ActiveX control blocking url: ./ie11-deploy-guide/out-of-date-activex-control-blocking.md - text: Update to block out-of-date ActiveX controls in Internet Explorer - url: https://support.microsoft.com/help/2991000/update-to-block-out-of-date-activex-controls-in-internet-explorer - - text: Script to join user to AD with automatic Local user Profile Migration - url: https://gallery.technet.microsoft.com/scriptcenter/script-to-join-active-7b16d9d3 - - text: Scripts for IT professionals - url: https://gallery.technet.microsoft.com/scriptcenter/site/search?query=Microsoft%20Edge%20or%20Internet + url: https://support.microsoft.com/topic/update-to-block-out-of-date-activex-controls-in-internet-explorer-39ced8f8-5d98-3c7b-4792-b62fad4e2277 # Card - title: Support @@ -137,25 +123,19 @@ landingContent: - linkListType: get-started links: - text: Change or reset Internet Explorer settings - url: https://support.microsoft.com/help/17441/windows-internet-explorer-change-reset-settings + url: https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5 - text: Troubleshoot problems with setup, installation, auto configuration, and more url: ./ie11-deploy-guide/troubleshoot-ie11.md - text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone - url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet + url: https://support.microsoft.com/topic/option-to-disable-vbscript-execution-in-internet-explorer-for-internet-zone-and-restricted-sites-zone-3a2104c0-5af0-9aae-6c57-8207d3cb3e65 - text: Frequently asked questions about IEAK 11 url: ./ie11-faq/faq-ieak11.yml - text: Internet Explorer 8, 9, 10, 11 forum url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver - text: Contact a Microsoft support professional url: https://support.microsoft.com/contactus - - text: Support options for Microsoft Partners - url: https://mspartner.microsoft.com/Pages/Support/get-support.aspx - - text: Microsoft Services Premier Support - url: https://www.microsoft.com/en-us/microsoftservices/support.aspx - - text: Microsoft Small Business Support Center - url: https://smallbusiness.support.microsoft.com/product/internet-explorer - text: General support - url: https://support.microsoft.com/products/internet-explorer + url: https://support.microsoft.com/windows/internet-explorer-help-23360e49-9cd3-4dda-ba52-705336cc0de2 # Card - title: Stay informed @@ -167,4 +147,4 @@ landingContent: - text: Microsoft Edge Dev blog url: https://blogs.windows.com/msedgedev - text: Microsoft Edge Dev on Twitter - url: https://twitter.com/MSEdgeDev \ No newline at end of file + url: https://twitter.com/MSEdgeDev diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index ea499a1774..0e1a848592 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -93,7 +93,7 @@ sections: - question: | Is an example Proxy Auto Configuration (PAC) file available? answer: | - Here is a simple PAC file: + Here's a simple PAC file: ```vb function FindProxyForURL(url, host) @@ -103,7 +103,7 @@ sections: ``` > [!NOTE] - > The previous PAC always returns the **proxyserver:portnumber** proxy. + > The previous PAC always returns the `proxyserver:portnumber` proxy. For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). @@ -113,8 +113,7 @@ sections: - question: | How to improve performance by using PAC scripts answer: | - - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490) - - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance) + For more information, see [Optimizing performance with automatic Proxy configuration scripts (PAC)](/troubleshoot/developer/browsers/connectivity-navigation/optimize-pac-performance). - name: Other questions questions: @@ -123,7 +122,7 @@ sections: answer: | For more information, see the following blog article: - [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) + [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) - question: | How to add sites to the Enterprise Mode (EMIE) site list @@ -133,7 +132,7 @@ sections: - question: | What is Content Security Policy (CSP)? answer: | - By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. + By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allowlist of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. @@ -180,7 +179,7 @@ sections: - question: | What is Enterprise Mode Feature? answer: | - For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). + For more information, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). - question: | Where can I obtain a list of HTTP Status codes? @@ -190,9 +189,9 @@ sections: - question: | What is end of support for Internet Explorer 11? answer: | - Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. + Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it's installed. - For more information, see [Lifecycle FAQ — Internet Explorer and Edge](/lifecycle/faq/internet-explorer-microsoft-edge). + For more information, see [Lifecycle FAQ - Internet Explorer and Microsoft Edge](/lifecycle/faq/internet-explorer-microsoft-edge). - question: | How to configure TLS (SSL) for Internet Explorer @@ -229,7 +228,7 @@ sections: - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page **References** - [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) + [How to configure Internet Explorer security zone sites using group policies](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) - question: | What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 2908606c60..017aa6750e 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -39,7 +39,7 @@ "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.itpro-hololens", diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index 1e0f65ecc7..a9772d7b8c 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -36,7 +36,7 @@ "ms.date": "05/23/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.surface-hub", diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index da410e3263..f11706aa9d 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -32,7 +32,7 @@ "ms.date": "05/09/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.surface", diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml index 93f929e957..41fb052a33 100644 --- a/education/breadcrumb/toc.yml +++ b/education/breadcrumb/toc.yml @@ -1,3 +1,4 @@ +items: - name: Docs tocHref: / topicHref: / @@ -12,4 +13,7 @@ - name: Windows tocHref: /education/windows topicHref: /education/windows/index - \ No newline at end of file + - name: Windows + tocHref: /windows/security/ + topicHref: /education/windows/index + diff --git a/education/docfx.json b/education/docfx.json index 38f8413d5f..7aabd80dfc 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -17,7 +17,8 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.svg" + "**/*.svg", + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -27,15 +28,13 @@ ], "globalMetadata": { "recommendations": true, - "ROBOTS": "INDEX, FOLLOW", - "audience": "windows-education", "ms.topic": "article", "ms.technology": "windows", - "manager": "dansimp", + "manager": "aaroncz", "breadcrumb_path": "/education/breadcrumb/toc.json", - "ms.date": "05/09/2017", - "feedback_system": "None", - "hideEdit": true, + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.education", diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 73b3828e76..b9d519b4c6 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,39 +2,59 @@ -## Week of May 02, 2022 +## Week of August 15, 2022 | Published On |Topic title | Change | |------|------------|--------| -| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | -| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified | -| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified | -| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | -| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified | -| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | -| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified | -| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | -| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | -| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified | -| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified | -| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified | -| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | -| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified | +| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | -## Week of April 25, 2022 +## Week of August 08, 2022 | Published On |Topic title | Change | |------|------------|--------| -| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | -| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | +| 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | +| 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified | +| 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified | +| 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | +| 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified | +| 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | +| 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified | +| 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | +| 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | +| 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified | +| 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified | +| 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified | +| 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified | +| 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | +| 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified | +| 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified | +| 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified | +| 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified | +| 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified | +| 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified | +| 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified | +| 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified | +| 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified | +| 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified | +| 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified | +| 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified | +| 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | +| 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified | +| 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified | +| 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified | +| 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | +| 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | -## Week of April 18, 2022 +## Week of July 25, 2022 | Published On |Topic title | Change | |------|------------|--------| -| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | +| 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added | +| 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified | +| 7/25/2022 | Edit an existing topic using the Edit link | removed | +| 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified | diff --git a/education/index.yml b/education/index.yml index 26aa73e3a7..b67a140734 100644 --- a/education/index.yml +++ b/education/index.yml @@ -10,9 +10,11 @@ metadata: description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. ms.service: help ms.topic: hub-page - author: LaurenMoynihan - ms.author: v-lamoyn - ms.date: 10/24/2019 + ms.collection: education + author: paolomatarazzo + ms.author: paoloma + ms.date: 08/10/2022 + manager: aaroncz productDirectory: title: For IT admins @@ -44,24 +46,24 @@ productDirectory: imageSrc: ./images/EDU-Lockbox.svg links: - url: /azure/active-directory/fundamentals/active-directory-deployment-checklist-p2 - text: AAD feature deployment guide - - url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423 + text: Azure Active Directory feature deployment guide + - url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-information-protection-deployment-acceleration-guide/ba-p/334423 text: Azure information protection deployment acceleration guide - - url: /cloud-app-security/getting-started-with-cloud-app-security + - url: /defender-cloud-apps/get-started text: Microsoft Defender for Cloud Apps - url: /microsoft-365/compliance/create-test-tune-dlp-policy text: Data loss prevention - url: /microsoft-365/compliance/ - text: Microsoft 365 Compliance + text: Microsoft Purview compliance - url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx text: Deploying Lockbox # Card - title: Analytics & insights imageSrc: ./images/EDU-Education.svg links: - - url: /power-bi/service-admin-administering-power-bi-in-your-organization + - url: /power-bi/admin/service-admin-administering-power-bi-in-your-organization text: Power BI for IT admins - - url: /dynamics365/#pivot=get-started + - url: /dynamics365/ text: Dynamics 365 # Card - title: Find deployment help and other support resources @@ -69,11 +71,9 @@ productDirectory: links: - url: /microsoft-365/education/deploy/find-deployment-help text: IT admin help - - url: https://social.technet.microsoft.com/forums/en-us/home - text: TechNet - - url: https://support.office.com/en-us/education + - url: https://support.office.com/education text: Education help center - - url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921 + - url: /learn/educator-center/ text: Teacher training packs # Card - title: Check out our education journey @@ -98,9 +98,9 @@ additionalContent: summary: Learn how web applications can use the API to provide a locked down experience for taking tests. url: /windows/uwp/apps-for-education/take-a-test-api # Card - - title: Office Education Dev center - summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app - url: https://developer.microsoft.com/office/edu + - title: Office dev center + summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app. + url: https://developer.microsoft.com/office/ # Card - title: Data Streamer summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application. @@ -111,15 +111,7 @@ additionalContent: # Card - title: Microsoft Partner Network summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness. - url: https://partner.microsoft.com/solutions/education - # Card - - title: Authorized Education Partner (AEP) program - summary: Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEUs). - url: https://www.mepn.com/ - # Card - - title: Authorized Education Partner Directory - summary: Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs. - url: https://www.mepn.com/MEPN/AEPSearch.aspx + url: https://partner.microsoft.com/explore/education # Card - title: Education Partner community Yammer group summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer. diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index 717ae6c902..f90e7d595f 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -1,71 +1,99 @@ -- name: Windows 11 SE for Education +items: +- name: Windows for Education Documentation + href: index.yml +- name: Tutorials + expanded: true items: - - name: Overview - href: windows-11-se-overview.md - - name: Settings and CSP list - href: windows-11-se-settings-list.md -- name: Windows 10 for Education - href: index.md + - name: Deploy and manage Windows devices in a school + href: tutorial-school-deployment/toc.yml +- name: Concepts items: + - name: Windows 11 SE + items: + - name: Overview + href: windows-11-se-overview.md + - name: Settings and CSP list + href: windows-11-se-settings-list.md + - name: Windows in S Mode + items: + - name: Test Windows 10 in S mode on existing Windows 10 education devices + href: test-windows10s-for-edu.md + - name: Enable Windows 10 in S mode on Surface Go devices + href: enable-s-mode-on-surface-go-devices.md - name: Windows 10 editions for education customers href: windows-editions-for-education-customers.md + - name: Shared PC mode for school devices + href: set-up-school-pcs-shared-pc-mode.md - name: Windows 10 configuration recommendations for education customers href: configure-windows-for-education.md - - name: Deployment recommendations for school IT administrators - href: edu-deployment-recommendations.md - - name: Set up Windows devices for education - href: set-up-windows-10.md +- name: How-to-guides + items: + - name: Use the Set up School PCs app + href: use-set-up-school-pcs-app.md + - name: Take tests and assessments in Windows items: - - name: What's new in Set up School PCs - href: set-up-school-pcs-whats-new.md - - name: Technical reference for the Set up School PCs app - href: set-up-school-pcs-technical.md - items: - - name: Azure AD Join for school PCs - href: set-up-school-pcs-azure-ad-join.md - - name: Shared PC mode for school devices - href: set-up-school-pcs-shared-pc-mode.md - - name: Provisioning package settings - href: set-up-school-pcs-provisioning-package.md - - name: Use the Set up School PCs app - href: use-set-up-school-pcs-app.md - - name: Set up student PCs to join domain - href: set-up-students-pcs-to-join-domain.md - - name: Provision student PCs with apps - href: set-up-students-pcs-with-apps.md - - name: Take tests in Windows 10 - href: take-tests-in-windows-10.md - items: - - name: Set up Take a Test on a single PC + - name: Overview + href: take-tests-in-windows-10.md + - name: Configure Take a Test on a single PC href: take-a-test-single-pc.md - - name: Set up Take a Test on multiple PCs + - name: Configure a Test on multiple PCs href: take-a-test-multiple-pcs.md - - name: Take a Test app technical reference - href: take-a-test-app-technical.md + - name: Change Windows edition + items: + - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode + href: s-mode-switch-to-edu.md + - name: Change to Windows 10 Pro Education from Windows 10 Pro + href: change-to-pro-education.md + - name: Upgrade Windows Home to Windows Education on student-owned devices + href: change-home-to-edu.md + - name: "Get and deploy Minecraft: Education Edition" + items: + - name: "Get Minecraft: Education Edition" + href: get-minecraft-for-education.md + - name: "For IT administrators: get Minecraft Education Edition" + href: school-get-minecraft.md + - name: "For teachers: get Minecraft Education Edition" + href: teacher-get-minecraft.md + - name: Work with Microsoft Store for Education + href: education-scenarios-store-for-business.md + - name: Migrate from Chromebook to Windows + items: + - name: Chromebook migration guide + href: chromebook-migration-guide.md + - name: Deploy Windows 10 devices in a school + items: + - name: Overview + href: deploy-windows-10-overview.md + - name: Deploy Windows 10 in a school + href: deploy-windows-10-in-a-school.md + - name: Deploy Windows 10 in a school district + href: deploy-windows-10-in-a-school-district.md + - name: Deployment recommendations for school IT administrators + href: edu-deployment-recommendations.md + - name: Set up Windows devices for education + items: + - name: Overview + href: set-up-windows-10.md + - name: Azure AD join for school PCs + href: set-up-school-pcs-azure-ad-join.md + - name: Active Directory join for school PCs + href: set-up-students-pcs-to-join-domain.md + - name: Provision student PCs with apps + href: set-up-students-pcs-with-apps.md - name: Reset devices with Autopilot Reset href: autopilot-reset.md - - name: Working with Microsoft Store for Education - href: education-scenarios-store-for-business.md - - name: "Get Minecraft: Education Edition" - href: get-minecraft-for-education.md - items: - - name: "For teachers: get Minecraft Education Edition" - href: teacher-get-minecraft.md - - name: "For IT administrators: get Minecraft Education Edition" - href: school-get-minecraft.md - - name: Test Windows 10 in S mode on existing Windows 10 education devices - href: test-windows10s-for-edu.md - - name: Enable Windows 10 in S mode on Surface Go devices - href: enable-s-mode-on-surface-go-devices.md - - name: Deploy Windows 10 in a school - href: deploy-windows-10-in-a-school.md - - name: Deploy Windows 10 in a school district - href: deploy-windows-10-in-a-school-district.md - - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode - href: s-mode-switch-to-edu.md - - name: Change to Windows 10 Pro Education from Windows 10 Pro - href: change-to-pro-education.md - - name: Chromebook migration guide - href: chromebook-migration-guide.md +- name: Reference + items: + - name: Set up School PCs + items: + - name: Set up School PCs app technical reference + href: set-up-school-pcs-technical.md + - name: Provisioning package settings + href: set-up-school-pcs-provisioning-package.md + - name: What's new in Set up School PCs + href: set-up-school-pcs-whats-new.md + - name: Take a Test app technical reference + href: take-a-test-app-technical.md - name: Change history for Windows 10 for Education href: change-history-edu.md + diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 5e41713a4b..ad98be350e 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -1,23 +1,23 @@ --- title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. -keywords: Autopilot Reset, Windows 10, education -ms.prod: w10 +keywords: Autopilot Reset, Windows, education +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 06/27/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Reset devices with Autopilot Reset -**Applies to:** - -- Windows 10, version 1709 IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 68e0429bb0..2b3d262830 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -2,20 +2,22 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Change history for Windows 10 for Education -This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation. ## May 2019 diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md new file mode 100644 index 0000000000..bb3a601ed0 --- /dev/null +++ b/education/windows/change-home-to-edu.md @@ -0,0 +1,232 @@ +--- +title: Upgrade Windows Home to Windows Education on student-owned devices +description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions. +ms.date: 08/10/2022 +ms.prod: windows +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: scottbreenmsft +ms.author: scbree +ms.reviewer: paoloma +manager: jeffbu +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +--- + +# Upgrade Windows Home to Windows Education on student-owned devices + +## Overview + +Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning. + +> [!NOTE] +> To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center. + +IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The table below provides the recommended method depending on the scenario. + +| Method | Product key source | Device ownership | Best for | +|-|-|-|-| +| MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM | +| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent or guardian | +| Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot | + +These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation). + +## User Notifications + +Users aren't notified their device has been or will be upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM will initiate an upgrade to Windows Education and this upgrade will give the institution extra capabilities, such as installing applications. + +Device users can disconnect from MDM in the Settings app, to prevent further actions from being taken on their personal device. For instructions on disconnecting from MDM, see [Remove your Windows device from management](/mem/intune/user-help/unenroll-your-device-from-intune-windows). + +## Why upgrade student-owned devices from Windows Home to Windows Education? + +Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are: + +- [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications. +- [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization. + +A full list of CSPs are available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows). + +## Requirements for using a MAK to upgrade from Windows Home to Windows Education + +- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center. +- A qualifying Windows subscription such as: + - Windows A3, or; + - Windows A5. +- A pre-installed and activated instance of Windows 10 Home or Windows 11 Home. + +You can find more information in the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/productoffering). + +## How the upgrade process works + +IT admins with access to the VLSC or the Microsoft 365 Admin Center, can find their MAK for Windows Education and trigger an upgrade using Mobile Device Management or manually on devices. + +> [!WARNING] +> The MAK is highly sensitive and should always be protected. Only authorized staff should be given access to the key and it should never be distributed to students or broadly to your organization in documentation or emails. + +### Recommended methods for using a MAK + +It's critical that MAKs are protected whenever they're used. The following processes provide the best protection for a MAK being applied to a device: + +- Provisioning package by institution approved staff; +- Manual entry by institution approved staff (don't distribute the key via email); +- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp); + > [!IMPORTANT] + > If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students. +- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager. + +For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades). + +## Downgrading, resetting, reinstalling and graduation rights + +After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system. + +The table below highlights the differences by upgrade product key type: + +| Product Key Type | Downgrade (in-place) | Reset | Student reinstall | +|-|-|-|-| +| VLSC | No | Yes | No | +| Kivuto OnTheHub | No | Yes | Yes | + +### Downgrade + +It isn't possible to downgrade to *Windows Home* from *Windows Education* without reinstalling Windows. + +### Reset + +If the computer is reset, Windows Education will be retained. + +### Reinstall + +The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) will be used to activate Windows. + +If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key prior to graduation. + +For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886). + +### Resale + +The license will remain installed on the device if resold and the same conditions above apply for downgrade, reset or reinstall. + +## Step by step process for customers to upgrade student-owned devices using Microsoft Intune + +These steps provide instructions on how to use Microsoft Intune to upgrade devices from Home to Education. + +### Step 1: Create a Windows Home edition filter + +These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters). + +- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com) +- Select **Tenant administration** > **Filters** +- Select **Create** + - Specify a name for the filter (for example *Windows Home edition*) + - Select the **platform** as **Windows 10 and later** + - Select **Next** +- On the **Rules** screen, configure the following rules: + - **operatingSystemSKU** equals **Core (Windows 10/11 Home (101))** + - OR + - **operatingSystemSKU** equals **CoreN (Windows 10/11 Home N (98))** + - OR + - **operatingSystemSKU** equals **CoreSingleLanguage (Windows 10/11 Home single language (100))** + + > [!NOTE] + > Ensure you've selected OR as the operator in the right And/Or column + + :::image type="content" source="images/change-home-to-edu-windows-home-edition-intune-filter.png" alt-text="Example of configuring the Windows Home filter"::: + +- Optionally select scope tags as required +- Save the filter by selecting **Create** + +### Step 2: Create a Windows edition upgrade policy + +These steps create and assign a Windows edition upgrade policy. For more information, see [Windows 10/11 device settings to upgrade editions or enable S mode in Intune](/mem/intune/configuration/edition-upgrade-windows-settings). + +- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com) +- Select **Devices** > **Configuration profiles** +- Select **Create profile** + - Select the **Platform** as **Windows 10 or later** + - Select the **Profile type** as **Templates** + - Select the **Template** as **Edition upgrade and mode switch** + - Select **Create** +- Specify a name for the policy (for example *Windows Education edition upgrade*), select **Next** +- On the **Configuration settings** screen + - Expand **Edition Upgrade** + - Change **Edition to upgrade** to **Windows 10/11 Education** + - In the **Product Key**, enter your *Windows 10/11 Education MAK* + - Select **Next** + + :::image type="content" source="images/change-home-to-edu-windows-edition-upgrade-policy.png" alt-text="Example of configuring the Windows upgrade policy in Microsoft Intune"::: + +- Optionally select scope tags as required and select **Next** +- On the **assignments** screen; + - Select **Add all devices** + - Next to **All devices**, select **Edit filter** + + > [!NOTE] + > You can also target other security groups that contain a smaller scope of users or devices and apply the filter rather than All devices. + + - Select to **Include filtered devices in assignment** + - Select the *Windows Home edition* filter you created earlier + - Choose **Select** to save the filter selection + - Select **Next** to progress to the next screen +- Don't configure any applicability rules and select **next** +- Review your settings and select **Create** + +The edition upgrade policy will now apply to all existing and new Windows Home edition devices targeted. + +### Step 3: Report on device edition + +You can check the Windows versions of managed devices in the Microsoft Endpoint Manager admin console. + +- Start in the **Microsoft Endpoint Manager admin console** +- Select **Devices** > **Windows** +- Select the **Columns** button +- Select **Sku Family** +- Select **Export** +- Select **Only include the selected columns in the exported file** and select **Yes** +- Open the file in Excel and filter on the Sku Family column to identify which devices are running the Home SKU + +## Frequently asked questions (FAQ) + +### My MAK key has run out of activations, how do I request a new one? + +Increases to MAK Activation quantity can be requested by contacting [VLSC support](/licensing/contact-us) and may be granted by exception. A request can be made by accounts with the VLSC Administrator, Key Administrator, or Key Viewer permissions. The request should include the following information: + +- Agreement/Enrollment Number or License ID and Authorization. +- Product Name (includes version and edition). +- Last five characters of the product key. +- The number of host activations required. +- Business Justification or Reason for Deployment. + +### What is a firmware-embedded activation key? + +A firmware-embedded activation key is a Windows product key that is installed into the firmware of your device. The embedded key makes it easier to install and activate Windows. To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt: + +```powershell +(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey +``` + +If the device has a firmware-embedded activation key, it will be displayed in the output. Otherwise, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. + +A firmware embedded key is only required to upgrade using Subscription Activation, a MAK upgrade doesn't require the firmware embedded key. + +### What is a multiple activation key and how does it differ from using KMS, Active Directory based activation or Subscription Activation? + +A multiple activation key activates either individual computers or a group of computers by connecting directly to servers over the internet or by telephone. KMS, Active Directory based activation and subscription activation are bulk activation methods that work based on network proximity or joining to Active Directory or Azure Active Directory. The table below shows which methods can be used for each scenario. + +| Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation | +|-|-|:-:|:-:|:-:|:-:| +| **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | | +| **Azure AD Join** | Organization | X | X | | X | +| **Hybrid Azure AD Join** | Organization | X | X | X | X | + +## Related links + +- [Windows 10 edition upgrade (Windows 10)](/windows/deployment/upgrade/windows-10-edition-upgrades) +- [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation) +- [Equip Your Students with Windows 11 Education - Kivuto](https://kivuto.com/windows-11-student-use-benefit/) +- [Upgrade Windows Home to Windows Pro (microsoft.com)](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818) +- [Partner Center: Upgrade Education customers from Windows 10 Home to Windows 10 Education](/partner-center/upgrade-windows-to-education) diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index d1ed1e7192..3c0e5424ee 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -2,16 +2,19 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Change to Windows 10 Pro Education from Windows 10 Pro diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 6ecad551d4..b7d6452223 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -2,26 +2,24 @@ title: Chromebook migration guide (Windows 10) description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -ms.reviewer: -manager: dansimp keywords: migrate, automate, device, Chromebook migration -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Chromebook migration guide - -**Applies to** - -- Windows 10 - In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 6d0c2694a5..4b876aa023 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -4,21 +4,19 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology ms.mktglfcycl: plan ms.sitesec: library -ms.prod: w10 +ms.prod: windows ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Windows 10 configuration recommendations for education customers -**Applies to:** - -- Windows 10 - Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index aa2e5b4d70..6f72f69d44 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -2,24 +2,23 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deploy Windows 10 in a school district -**Applies to** - -- Windows 10 - - This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment @@ -1279,9 +1278,9 @@ You've now identified the tasks you need to perform monthly, at the end of an ac * [Try it out: Windows 10 in the classroom](../index.yml) * [Chromebook migration guide](./chromebook-migration-guide.md) * [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md) -* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.md) -* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.md) -* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md) -* [Reprovision devices at the end of the school year (video)](./index.md) -* [Use MDT to deploy Windows 10 in a school (video)](./index.md) -* [Use Microsoft Store for Business in a school environment (video)](./index.md) +* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.yml) +* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.yml) +* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.yml) +* [Reprovision devices at the end of the school year (video)](./index.yml) +* [Use MDT to deploy Windows 10 in a school (video)](./index.yml) +* [Use Microsoft Store for Business in a school environment (video)](./index.yml) diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index b618ca7b09..ee97678d29 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -2,24 +2,23 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deploy Windows 10 in a school - -**Applies to** - -- Windows 10 - This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for school deployment diff --git a/education/windows/index.md b/education/windows/deploy-windows-10-overview.md similarity index 97% rename from education/windows/index.md rename to education/windows/deploy-windows-10-overview.md index 9db6cd7672..3977c5f664 100644 --- a/education/windows/index.md +++ b/education/windows/deploy-windows-10-overview.md @@ -2,14 +2,19 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Windows 10 for Education diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index fb2c72d34b..c29d3d4a47 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -4,20 +4,19 @@ description: Provides guidance on ways to customize the OS privacy settings, and keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.prod: w10 +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deployment recommendations for school IT administrators -**Applies to:** - -- Windows 10 - Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 7909586e9b..4fbe0e9f89 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,17 +2,20 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium searchScope: - Store -author: dansimp -ms.author: dansimp -ms.date: 03/30/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index e7dce928ea..e056e38381 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -2,16 +2,19 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/30/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Surface Go for Education - Enabling S mode diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 2ce2c20be3..f03899ae3d 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,27 +2,24 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/29/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.topic: conceptual +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - - [Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/images/change-home-to-edu-windows-edition-upgrade-policy.png b/education/windows/images/change-home-to-edu-windows-edition-upgrade-policy.png new file mode 100644 index 0000000000..f9c4fc3a12 Binary files /dev/null and b/education/windows/images/change-home-to-edu-windows-edition-upgrade-policy.png differ diff --git a/education/windows/images/change-home-to-edu-windows-home-edition-intune-filter.png b/education/windows/images/change-home-to-edu-windows-home-edition-intune-filter.png new file mode 100644 index 0000000000..a033a481c3 Binary files /dev/null and b/education/windows/images/change-home-to-edu-windows-home-edition-intune-filter.png differ diff --git a/education/windows/index.yml b/education/windows/index.yml new file mode 100644 index 0000000000..510c5c520f --- /dev/null +++ b/education/windows/index.yml @@ -0,0 +1,85 @@ +### YamlMime:Landing + +title: Windows for Education documentation +summary: Evaluate, plan, deploy, and manage Windows devices in an education environment + +metadata: + title: Windows for Education documentation + description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune + ms.topic: landing-page + ms.prod: windows + ms.collection: education + author: paolomatarazzo + ms.author: paoloma + ms.date: 08/10/2022 + ms.reviewer: + manager: aaroncz + ms.localizationpriority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + +landingContent: + + - title: Get started + linkLists: + - linkListType: tutorial + links: + - text: Deploy and manage Windows devices in a school + url: tutorial-school-deployment/index.md + - text: Prepare your tenant + url: tutorial-school-deployment/set-up-azure-ad.md + - text: Configure settings and applications with Microsoft Intune + url: tutorial-school-deployment/configure-devices-overview.md + - text: Manage devices with Microsoft Intune + url: tutorial-school-deployment/manage-overview.md + - text: Management functionalities for Surface devices + url: tutorial-school-deployment/manage-surface-devices.md + + + - title: Learn about Windows 11 SE + linkLists: + - linkListType: concept + links: + - text: What is Windows 11 SE? + url: windows-11-se-overview.md + - text: Windows 11 SE settings + url: windows-11-se-settings-list.md + - linkListType: video + links: + - text: Deploy Windows 11 SE using Set up School PCs + url: https://www.youtube.com/watch?v=Ql2fbiOop7c + + + - title: Deploy devices with Set up School PCs + linkLists: + - linkListType: concept + links: + - text: What is Set up School PCs? + url: set-up-school-pcs-technical.md + - linkListType: how-to-guide + links: + - text: Use the Set up School PCs app + url: use-set-up-school-pcs-app.md + - linkListType: reference + links: + - text: Provisioning package settings + url: set-up-school-pcs-provisioning-package.md + - linkListType: video + links: + - text: Use the Set up School PCs App + url: https://www.youtube.com/watch?v=2ZLup_-PhkA + + + - title: Configure devices + linkLists: + - linkListType: concept + links: + - text: Take tests and assessments + url: take-tests-in-windows-10.md + - text: Change Windows editions + url: change-home-to-edu.md + - text: "Deploy Minecraft: Education Edition" + url: get-minecraft-for-education.md \ No newline at end of file diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index cb2e995ef3..a09d48ae19 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -4,14 +4,17 @@ description: Switching out of Windows 10 Pro in S mode to Windows 10 Pro Educati keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.prod: w10 +ms.prod: windows ms.sitesec: library ms.pagetype: edu -ms.date: 12/03/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.author: dansimp -author: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 6ba860cd94..8ed1fbf9e7 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,27 +2,26 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/30/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 ms.topic: conceptual --- # For IT administrators - get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - -When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. +When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription, Minecraft: Education Edition will be added to the inventory in your Microsoft Admin Center which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Admin Center is only displayed to members of your organization with administrative roles. >[!Note] >If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). @@ -34,7 +33,7 @@ Schools that purchased these products have an extra option for making Minecraft: - Microsoft 365 A3 or Microsoft 365 A5 - Minecraft: Education Edition -If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already. +If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already. > [!Note] > If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions. @@ -43,37 +42,27 @@ After selecting the appropriate product license, ensure Minecraft: Education Edi If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access. -## Add Minecraft to your Microsoft Store for Education +## How to get Minecraft: Education Edition -You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies). +Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies). If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). ### Minecraft: Education Edition - direct purchase -1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. +1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar. - +2. Scroll down and select **Buy Now** under Direct Purchase. -2. Enter your email address, and select Educator, Administrator, or Student.
If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one. +3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account. - - -3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store. +4. If necessary, fill in any requested organization or payment information. - +5. Select the quantity of licenses you would like to purchase and select **Place Order**. -4. Sign in to Microsoft Store for Education with your email address. +6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). -5. Read and accept the Microsoft Store for Education Service Agreement, and then select **Next**. - -6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory. - - - -Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). - -If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-more-licenses). +If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). ### Minecraft: Education Edition - volume licensing @@ -89,7 +78,7 @@ You can pay for Minecraft: Education Edition with a debit or credit card, or wit ### Debit or credit cards -During the purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card. +During the purchase, click **Add a new payment method**. Provide the info needed for your debit or credit card. ### Invoices @@ -101,234 +90,22 @@ Invoices are now a supported payment method for Minecraft: Education Edition. Th **To pay with an invoice** -1. During the purchase, click **Get started! Add a way to pay.** - - ![Buy page for an app, showing the link for Get started! Add a way to pay.](images/mcee-add-payment-method.png) +1. During the purchase, click **Add a new payment method.** 2. Select the Invoice option, and provide the info needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization. ![Invoice Details page showing items that need to be completed for an invoice. PO number is highlighted.](images/mcee-invoice-info.png) -### Find your invoice - -After you've finished the purchase, you can find your invoice by checking **Minecraft: Education Edition** in your **Apps & software**. - -> [!NOTE] -> After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Apps & software**. - -**To view your invoice** - -1. In Microsoft Store for Education, click **Manage** and then click **Apps & software**. -2. Click **Minecraft: Education Edition** in the list of apps. -3. On **Minecraft: Education Edition**, click **View Bills**. - - ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-view-bills.png) - -4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf. - - ![Minecraft: The page displaying details of the Education Edition app with view bills link highlighted.](images/mcee-invoice-bills.png) - -The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. +For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?). ## Distribute Minecraft -After Minecraft: Education Edition is added to your Microsoft Store for Education inventory, you have three options: -- You can install the app on your PC. -- You can assign the app to others. -- You can download the app to distribute. - -Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store). - - - -### Configure automatic subscription assignment - -For Minecraft: Education Edition, you can use auto assign subscription to control whether or not you assign a subscription when a member of your organization signs in to the app. When auto assign subscription is on, people from your organization who don’t have a subscription will automatically get one when they sign in to Minecraft: Education Edition. When auto assign subscription is off, people from your organization will get the trial version when they sign in to Minecraft: Education Edition. This allows you to control which people use the trial version, and which people are assigned a full subscription. You can always reassign subscriptions, but planning ahead will reduce time spent managing apps and subscriptions. By default, automatic subscription assignment is turned on. - -**How to turn off automatic subscription assignment** - -> [!Note] -> The version of the Minecraft: Education Edition page in the Microsoft Store will be different depending on which Microsoft Store for Education flight you are using. - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click Manage. - - You'll see Minecraft: Education Edition product page. - - ![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-legacy.png) - - -Or- - - ![The page of the Minecraft Education Edition product with auto assign control highlighted.](images/mcee-auto-assign-bd.png) - -3. Slide the **Auto assign subscription** or select **Turn off auto assign subscription**. - -### Install for me - -You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app. - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Install**. - - - -3. Click **Install**. - -### Assign to others - -Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app. - -**To assign to others** - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. - - ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -3. Click **Invite people**. -4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - - You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student. - ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) - -**To finish Minecraft install (for students)** - -1. Students will receive an email with a link that will install the app on their PC.
- - ![Email with Get the app link.](images/minecraft-student-install-email.png) - -2. Click **Get the app** to start the app install in Microsoft Store app. -3. In Microsoft Store app, click **Install**. - - ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) - - After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10. - - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) - - When students click **My Library** they'll find apps assigned to them. - - ![My Library for example student.](images/minecraft-my-library.png) - -### Download for others -Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: -- You have administrative permissions to install apps on the PC. -- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. -- Your students share Windows 10 computers, but sign in with their own Windows account. - -**Requirements** -- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app. -- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition. - -**Check for updates**
-Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. - -**To check for app updates** - -1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). -2. Click the account button, and then click **Downloads and updates**. - - ![Microsoft Store app showing Downloads and updates](images/minecraft-private-store.png) - -3. Click **Check for updates**, and install all available updates. - - ![Microsoft Store app displaying Check for updates.](images/mc-check-for-updates.png) - -4. Restart the computer before installing Minecraft: Education Edition. - -**To download for others**
-You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC. - -1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - - ![Microsoft Store app showing the Download.](images/mc-dnld-others-teacher.png) - -2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. -3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. -4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. -5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install. -6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use. - - - - - - - - - - - +After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee). ## Learn more -[Working with Microsoft Store for Education – education scenarios](education-scenarios-store-for-business.md)
-Learn about overall Microsoft Store for Education management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. -[Roles and permissions in Microsoft Store for Business and Education](/microsoft-store/roles-and-permissions-microsoft-store-for-business) -[Troubleshoot Microsoft Store for Business and Education](/microsoft-store/troubleshoot-microsoft-store-for-business) + +[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac) ## Related topics [Get Minecraft: Education Edition](get-minecraft-for-education.md) -[For teachers get Minecraft: Education Edition](teacher-get-minecraft.md) \ No newline at end of file diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index a04a034238..b7a35b9784 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -2,16 +2,19 @@ title: Azure AD Join with Set up School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 01/11/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Azure AD Join for school PCs diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 328e6c3c68..3aeb7d738c 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -2,16 +2,19 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/17/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # What's in my provisioning package? diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index 25aa35b4f0..e007d4957b 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -2,16 +2,19 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/13/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Shared PC mode for school devices diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index de0bc50602..6dbdf70186 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -2,25 +2,23 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/11/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # What is Set up School PCs? - -**Applies to:** - -- Windows 10 - The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index 29c5d1cc71..fce328a1c0 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -2,21 +2,24 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 08/31/2020 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # What's new in Set up School PCs -Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases. - +Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases. ## Week of August 24, 2020 @@ -26,8 +29,7 @@ You can now give devices running Windows 10, version 2004 and later a name that' ## Week of September 23, 2019 ### Easier way to deploy Office 365 to your classroom devices - Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. - + Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. ## Week of June 24, 2019 @@ -100,15 +102,10 @@ The Skype and Messaging apps are part of a selection of apps that are, by defaul ## Next steps -Learn how to create provisioning packages and set up devices in the app. +Learn how to create provisioning packages and set up devices in the app. * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) * [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) * [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - - - - +* [Set up Windows 10 devices for education](set-up-windows-10.md) +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index cbad40867b..32f97bf4b3 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,21 +2,21 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/27/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up student PCs to join domain -**Applies to:** - -- Windows 10 If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain. diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 30b657f9b6..840dd7836b 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -1,31 +1,27 @@ --- title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. -keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer -ms.prod: w10 -ms.pagetype: edu -ms.mktglfcycl: plan -ms.sitesec: library +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Provision student PCs with apps -**Applies to:** -- Windows 10 - - -To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). +To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. -- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). + - If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package. + +[EDU-1]: /education/windows/windows-11-se-overview + +[MEM-1]: /mem/intune/apps/apps-win32-add + +[INT-1]: /intune-education/express-configuration-intune-edu +[INT-2]: /intune-education/add-web-apps-edu \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md new file mode 100644 index 0000000000..333618e34c --- /dev/null +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -0,0 +1,142 @@ +--- +title: Configure and secure devices with Microsoft Intune +description: Configure policies with Microsoft Intune in preparation to device deployment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Configure and secure devices with Microsoft Intune + +With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies. +For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel. + +Settings can be assigned to groups: + +- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to +- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices + +There are two ways to manage settings in Intune for Education: + +- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments +- **Group settings.** This option is used to configure all settings that are offered by Intune for Education + +> [!NOTE] +> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices. + +In this section you will: +> [!div class="checklist"] +> * Configure settings with Express Configuration +> * Configure group settings +> * Create Windows Update policies +> * Configure security policies + +## Configure settings with Express Configuration + +With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools. + +> [!TIP] +> To learn more, and practice step-by-step Express Configuration in Intune for Education, try this interactive demo. + +## Configure group settings + +Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > Pick a group to manage +1. Select **Windows device settings** +1. Expand the different categories and review information about individual settings + +Settings that are commonly configured for student devices include: + +- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7] +- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8] +- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9] + +For more information, see [Windows device settings in Intune for Education][INT-3]. + +## Create Windows Update policies + +It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education. + +To create a Windows Update policy: + +1. Select **Groups** > Pick a group to manage +1. Select **Windows device settings** +1. Expand the category **Update and upgrade** +1. Configure the required settings as needed + +For more information, see [Updates and upgrade][INT-6]. + +> [!NOTE] +> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information: +> - [What is Windows Update for Business?][WIN-1] +> - [Manage Windows software updates in Intune][MEM-1] + +## Configure security policies + +It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows. +Intune for Education provides different settings to secure devices. + +To create a security policy: + +1. Select **Groups** > Pick a group to manage +1. Select **Windows device settings** +1. Expand the category **Security** +1. Configure the required settings as needed, including + - Windows Defender + - Windows Encryption + - Windows SmartScreen + +For more information, see [Security][INT-4]. + +> [!NOTE] +> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information: +> - [Antivirus][MEM-2] +> - [Disk encryption][MEM-3] +> - [Firewall][MEM-4] +> - [Endpoint detection and response][MEM-5] +> - [Attack surface reduction][MEM-6] +> - [Account protection][MEM-7] + +________________________________________________________ + +## Next steps + +With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices. + +> [!div class="nextstepaction"] +> [Next: Configure applications >](configure-device-apps.md) + + + +[EDU-1]: /education/windows/windows-11-se-overview + +[INT-2]: /intune-education/express-configuration-intune-edu +[INT-3]: /intune-education/all-edu-settings-windows +[INT-4]: /intune-education/all-edu-settings-windows#security +[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade +[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop +[INT-8]: /intune-education/add-wi-fi-profile +[INT-9]: /intune-education/take-a-test-profiles + +[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb + +[MEM-1]: /mem/intune/protect/windows-update-for-business-configure +[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy +[MEM-3]: /mem/intune/protect/encrypt-devices +[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy +[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy +[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy +[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md new file mode 100644 index 0000000000..bea37bf92b --- /dev/null +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -0,0 +1,70 @@ +--- +title: Configure devices with Microsoft Intune +description: Configure policies and applications in preparation to device deployment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Configure settings and applications with Microsoft Intune + +Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune. +Microsoft Intune uses Azure AD groups to assign policies and applications to devices. +With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them. + +In this section you will: +> [!div class="checklist"] +> * Create groups +> * Create and assign policies to groups +> * Create and assign applications to groups + +## Create groups + +By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need. + +By default, Intune for Education creates two default groups: *All devices* and *All users*. +Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school. + +:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true"::: + +Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to. + +Two group types can be created: + +- **Assigned groups** are used when you want to manually add users or devices to a group +- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups + +> [!TIP] +> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution. + +For more information, see: + +- [Create groups in Intune for Education][EDU-1] +- [Manually add or remove users and devices to an existing assigned group][EDU-2] +- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3] + +________________________________________________________ + +## Next steps + +With the groups created, you can configure policies and applications to deploy to your groups. + +> [!div class="nextstepaction"] +> [Next: Configure policies >](configure-device-settings.md) + + + +[EDU-1]: /intune-education/create-groups +[EDU-2]: /intune-education/edit-groups-intune-for-edu +[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md new file mode 100644 index 0000000000..5747c986a4 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-aadj.md @@ -0,0 +1,42 @@ +--- +title: Enrollment in Intune with standard out-of-box experience (OOBE) +description: how to join Azure AD for OOBE and automatically get the device enrolled in Intune +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- +# Automatic Intune enrollment via Azure AD join + +If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune. +With this process, no advance preparation is needed: + +1. Follow the on-screen prompts for region selection, keyboard selection, and network connection +1. Wait for updates. If any updates are available, they'll be installed at this time + :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true"::: +1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account + :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true"::: +1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device + +> [!IMPORTANT] +> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot. + +:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: + +________________________________________________________ +## Next steps + +With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status. + +> [!div class="nextstepaction"] +> [Next: Manage devices >](manage-overview.md) \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md new file mode 100644 index 0000000000..d4333d8625 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -0,0 +1,160 @@ +--- +title: Enrollment in Intune with Windows Autopilot +description: how to join Azure AD and enroll in Intune using Windows Autopilot +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Windows Autopilot + +Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices. + +Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated. + +## Prerequisites + +Before setting up Windows Autopilot, consider these prerequisites: + +- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot +- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices +- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1] + +> [!NOTE] +> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune][INT-1] and [Microsoft 365][M365-1]. + +## Register devices to Windows Autopilot + +Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot: + +- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2] + > [!NOTE] + > For **Microsoft Surface registration**, collect the details shown in this [documentation table][SURF-1] and follow the instruction to submit the request form to Microsoft Support. +- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5] + > [!TIP] + > Try the Microsoft Partner Center clickable demo, which provides detailed steps to establish a partner relationship and register devices. +- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6] + > [!IMPORTANT] + > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. + +## Create groups for Autopilot devices + +**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices. +For this task, it's recommended to create dynamic device groups using Autopilot attributes. + +Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > **Create group** +1. Specify a **Group name** and select **Dynamic** +1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value +1. Select **Create group** + :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true"::: + +More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3]. + +> [!TIP] +> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings. + +## Create Autopilot deployment profiles + +For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices. +A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be: +1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE +1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode. + +To create an Autopilot deployment profile: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > Select a group from the list +1. Select **Windows device settings** +1. Expand the **Enrolment** category +1. From **Configure Autopilot deployment profile for device** select **User-driven** +1. Ensure that **User account type** is configured as **Standard** +1. Select **Save** + +While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4]. + +### Configure an Enrollment Status Page + +An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status. + +:::image type="content" source="./images/win11-oobe-esp.png" alt-text="Windows OOBE - enrollment status page" border="false"::: + +> [!NOTE] +> Some Windows Autopilot deployment profiles **require** the ESP to be configured. + +To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager. + +> [!TIP] +> While testing the deployment process, you can configure the ESP to: +> - allow the reset of the devices in case the installation fails +> - allow the use of the device if installation error occurs +> +> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing. + +For more information, see [Set up the Enrollment Status Page][MEM-3]. + +> [!CAUTION] +> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [approved app list][EDU-1] should part of the ESP configuration. + +### Autopilot end-user experience + +Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection. +When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows: + +1. Identify the language and region +1. Select the keyboard layout and decide on the option for a second keyboard layout +1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step +1. Apply updates: the device will look for and apply required updates +1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur +1. The user authenticates to Azure AD, using the school account +1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured + +> [!NOTE] +> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection. + +:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: + +________________________________________________________ +## Next steps + +With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status. + +> [!div class="nextstepaction"] +> [Next: Manage devices >](manage-overview.md) + + + +[MEM-1]: /mem/intune/fundamentals/intune-endpoints +[MEM-2]: /mem/autopilot/oem-registration +[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune +[MEM-4]: /mem/autopilot/profiles +[MEM-5]: /mem/autopilot/partner-registration +[MEM-6]: /mem/autopilot/add-devices + +[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements + +[MSFT-1]: https://partner.microsoft.com/ + +[INT-1]: /intune/network-bandwidth-use + +[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 + +[EDU-1]: /education/windows/windows-11-se-overview +[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot + +[SURF-1]: /surface/surface-autopilot-registration-support \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md new file mode 100644 index 0000000000..1a0048e8b2 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -0,0 +1,48 @@ +--- +title: Device enrollment overview +description: Options to enroll Windows devices in Microsoft Intune +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: overview +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Device enrollment overview + +There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune: + +- **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices +- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience +- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users + +## Choose the enrollment method + +**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments. +This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies. + +:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false"::: + +Select one of the following options to learn the next steps about the enrollment method you chose: + +> [!div class="nextstepaction"] +> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md) + +> [!div class="nextstepaction"] +> [Next: Bulk enrollment with provisioning packages >](enroll-package.md) + +> [!div class="nextstepaction"] +> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md) + + + +[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md new file mode 100644 index 0000000000..acfb5e06ff --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -0,0 +1,77 @@ +--- +title: Enrollment of Windows devices with provisioning packages +description: options how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Enrollment with provisioning packages + +Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are: + +- There are no particular hardware dependencies on the devices to complete the enrollment process +- Devices don't need to be registered in advance +- Enrollment is a simple task: just open a provisioning package and the process is automated + +You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections. + +## Set up School PCs + +With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process. + +### Create a provisioning package + +The Set Up School PCs app guides you through configuration choices for school-owned devices. + +:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false"::: + +> [!CAUTION] +> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page. + +Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios. + +For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1]. + +> [!TIP] +> To learn more and practice with Set up School PCs, try the Set Up School PCs demo, which provides detailed steps to create a provisioning package and deploy a device. +## Windows Configuration Designer + +Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package. + +:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false"::: + +For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use. + +## Enroll devices with the provisioning package + +To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune. + +:::image type="content" source="./images/win11-oobe-ppkg.png" alt-text="Windows 11 OOBE - enrollment with provisioning package." border="false"::: + +:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: + +________________________________________________________ +## Next steps + +With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status. + +> [!div class="nextstepaction"] +> [Next: Manage devices >](manage-overview.md) + + + +[EDU-1]: /education/windows/use-set-up-school-pcs-app + +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/images/advanced-support.png b/education/windows/tutorial-school-deployment/images/advanced-support.png new file mode 100644 index 0000000000..d7655d1616 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/advanced-support.png differ diff --git a/education/windows/tutorial-school-deployment/images/configure.png b/education/windows/tutorial-school-deployment/images/configure.png new file mode 100644 index 0000000000..6e3219a7cb Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/configure.png differ diff --git a/education/windows/tutorial-school-deployment/images/device-lifecycle.png b/education/windows/tutorial-school-deployment/images/device-lifecycle.png new file mode 100644 index 0000000000..ab14cdb9f0 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/device-lifecycle.png differ diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png new file mode 100644 index 0000000000..3386f7673a Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png differ diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile.png b/education/windows/tutorial-school-deployment/images/dfci-profile.png new file mode 100644 index 0000000000..d77dc06f3d Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/dfci-profile.png differ diff --git a/education/windows/tutorial-school-deployment/images/enroll.png b/education/windows/tutorial-school-deployment/images/enroll.png new file mode 100644 index 0000000000..352cda9509 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/enroll.png differ diff --git a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png new file mode 100644 index 0000000000..69b22745a6 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png new file mode 100644 index 0000000000..3f031053d5 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-branding.png b/education/windows/tutorial-school-deployment/images/entra-branding.png new file mode 100644 index 0000000000..7201c7386d Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-branding.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-device-settings.png b/education/windows/tutorial-school-deployment/images/entra-device-settings.png new file mode 100644 index 0000000000..ef18b7391f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-device-settings.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png new file mode 100644 index 0000000000..4cf21148d1 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png differ diff --git a/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png new file mode 100644 index 0000000000..69f9fb188a Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png differ diff --git a/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png new file mode 100644 index 0000000000..5c1215f6d8 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png new file mode 100644 index 0000000000..20b05ad9d7 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png new file mode 100644 index 0000000000..5b6599de3e Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-apps.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png new file mode 100644 index 0000000000..75543684ca Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-groups.png b/education/windows/tutorial-school-deployment/images/intune-education-groups.png new file mode 100644 index 0000000000..87f4546e88 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-groups.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-portal.png b/education/windows/tutorial-school-deployment/images/intune-education-portal.png new file mode 100644 index 0000000000..6bcc9f9375 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-portal.png differ diff --git a/education/windows/tutorial-school-deployment/images/inventory-reporting.png b/education/windows/tutorial-school-deployment/images/inventory-reporting.png new file mode 100644 index 0000000000..39c904e205 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/inventory-reporting.png differ diff --git a/education/windows/tutorial-school-deployment/images/m365-admin-center.png b/education/windows/tutorial-school-deployment/images/m365-admin-center.png new file mode 100644 index 0000000000..d471b441dd Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/m365-admin-center.png differ diff --git a/education/windows/tutorial-school-deployment/images/protect-manage.png b/education/windows/tutorial-school-deployment/images/protect-manage.png new file mode 100644 index 0000000000..7ee7040a46 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/protect-manage.png differ diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png new file mode 100644 index 0000000000..5a3f95bc51 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/remote-actions.png differ diff --git a/education/windows/tutorial-school-deployment/images/retire.png b/education/windows/tutorial-school-deployment/images/retire.png new file mode 100644 index 0000000000..c079cfeaac Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/retire.png differ diff --git a/education/windows/tutorial-school-deployment/images/supcs-win11se.png b/education/windows/tutorial-school-deployment/images/supcs-win11se.png new file mode 100644 index 0000000000..700ff6d87f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/supcs-win11se.png differ diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png new file mode 100644 index 0000000000..339bd90904 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png differ diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal.png b/education/windows/tutorial-school-deployment/images/surface-management-portal.png new file mode 100644 index 0000000000..a1b7dd37ab Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/surface-management-portal.png differ diff --git a/education/windows/tutorial-school-deployment/images/wcd.png b/education/windows/tutorial-school-deployment/images/wcd.png new file mode 100644 index 0000000000..fba5be741f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/wcd.png differ diff --git a/education/windows/tutorial-school-deployment/images/whfb-disable.png b/education/windows/tutorial-school-deployment/images/whfb-disable.png new file mode 100644 index 0000000000..97177965e3 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/whfb-disable.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png new file mode 100644 index 0000000000..0ec380619e Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-login-screen.png b/education/windows/tutorial-school-deployment/images/win11-login-screen.png new file mode 100644 index 0000000000..438dda11bc Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-login-screen.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png new file mode 100644 index 0000000000..5ebb6a9f14 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png new file mode 100644 index 0000000000..73efb59230 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png new file mode 100644 index 0000000000..7de484934b Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png new file mode 100644 index 0000000000..51bbc39c9f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-wipe.png b/education/windows/tutorial-school-deployment/images/win11-wipe.png new file mode 100644 index 0000000000..027afae172 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-wipe.png differ diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md new file mode 100644 index 0000000000..d68fd2fd82 --- /dev/null +++ b/education/windows/tutorial-school-deployment/index.md @@ -0,0 +1,87 @@ +--- +title: Introduction +description: Introduction to deployment and management of Windows devices in education environments +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +--- + +# Tutorial: deploy and manage Windows devices in a school + +This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment. + +## Audience and user requirements + +This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including: + +- School leaders +- IT administrators +- Teachers +- Microsoft partners + +This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**. + +> [!NOTE] +> Depending on your school setup scenario, you may not need to implement all steps. + +## Device lifecycle management + +Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management. + +Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices. +Microsoft Endpoint Manager services include: + +- [Microsoft Intune][MEM-1] +- [Microsoft Intune for Education][INT-1] +- [Configuration Manager][MEM-2] +- [Desktop Analytics][MEM-3] +- [Windows Autopilot][MEM-4] +- [Surface Management Portal][MEM-5] + +These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk. + +## Why Intune for Education? + +Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point. +From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle: + +:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false"::: + +- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies +- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator +- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates +- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios + +## Four pillars of modern device management + +In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management: + +- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication +- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence +- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education +- **Device reset:** Resetting managed devices with Intune for Education + +________________________________________________________ +## Next steps + +Let's begin with the creation and configuration of your Azure AD tenant and Intune environment. + +> [!div class="nextstepaction"] +> [Next: Set up Azure Active Directory >](set-up-azure-ad.md) + + + +[MEM-1]: /mem/intune/fundamentals/what-is-intune +[MEM-2]: /mem/configmgr/core/understand/introduction +[MEM-3]: /mem/configmgr/desktop-analytics/overview +[MEM-4]: /mem/autopilot/windows-autopilot +[MEM-5]: /mem/autopilot/dfci-management + +[INT-1]: /intune-education/what-is-intune-for-education \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md new file mode 100644 index 0000000000..6be402a17d --- /dev/null +++ b/education/windows/tutorial-school-deployment/manage-overview.md @@ -0,0 +1,71 @@ +--- +title: Manage devices with Microsoft Intune +description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Manage devices with Microsoft Intune + +Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained. + +:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false"::: + +## Remote device management + +With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely. + +### Remote actions + +Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device. + +:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true"::: + +With bulk actions, remote actions can be performed on multiple devices at once. + +To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1]. + +## Remote assistance + +With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices. + +For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2]. + +## Device inventory and reporting + +With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline. + +Here are the steps for generating reports in Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Reports** +1. Select between one of the report types: + - Device inventory + - Device actions + - Application inventory + - Settings errors + - Windows Defender + - Autopilot deployment +1. If needed, use the search box to find specific devices, applications, and settings +1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel. + :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true"::: + +To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3]. + + + +[EDU-1]: /intune-education/edu-device-remote-actions +[EDU-2]: /intune-education/remote-assist-mobile-devices +[EDU-3]: /intune-education/what-are-reports diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md new file mode 100644 index 0000000000..c8d8f1a1c3 --- /dev/null +++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md @@ -0,0 +1,54 @@ +--- +title: Management functionalities for Surface devices +description: Management capabilities offered to Surface devices, including firmware management and the Surface Management Portal +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Surface devices +--- + +# Management functionalities for Surface devices + +Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them. + +## Manage device firmware for Surface devices + +Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices. + +DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI. + +:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true"::: + +## Microsoft Surface Management Portal + +Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more. + +When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities. + +To access and use the Surface Management Portal: + +1. Sign in to Microsoft Endpoint Manager admin center +1. Select **All services** > **Surface Management Portal** + :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true"::: +1. To obtain insights for all your Surface devices, select **Monitor** + - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here +1. To obtain details on each insights category, select **View report** + - This dashboard displays diagnostic information that you can customize and export +1. To obtain the device's warranty information, select **Device warranty and coverage** +1. To review a list of support requests and their status, select **Support requests** + + + +[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows + +[MEM-1]: /mem/autopilot/dfci-management + +[SURF-1]: /surface/surface-manage-dfci-guide diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md new file mode 100644 index 0000000000..ca8bac240d --- /dev/null +++ b/education/windows/tutorial-school-deployment/reset-wipe.md @@ -0,0 +1,122 @@ +--- +title: Reset and wipe Windows devices +description: Reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Device reset options + +There are different scenarios that require a device to be reset, for example: + +- The device isn't responding to commands +- The device is lost or stolen +- It's the end of the life of the device +- It's the end of the school year and you want to prepare the device for a new school year +- The device has hardware problems and you want to send it to the service center + +:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false"::: + +Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them: + +- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings +- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state + +## Factory reset (wipe) + +A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management. + +Once the wipe is completed, the device will be in out-of-box experience. + +Here are the steps to perform a factory reset from Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Devices** +1. Select the device you want to reset > **Factory reset** +1. Select **Factory reset** to confirm the action + +:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false"::: + +Consider using factory reset in the following example scenarios: + +- The device isn't working properly, and you want to reset it without reimaging it +- It's the end of school year and you want to prepare the device for a new school year +- You need to reassign the device to a different student, and you want to reset the device to its original settings +- You're returning a device to the service center, and you want to remove all data and settings from the device + +> [!TIP] +> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device. + +## Autopilot Reset + +Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant. + +Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen. + +Here are the steps to perform an Autopilot reset from Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Devices** +1. Select the device you want to reset > **Autopilot reset** +1. Select **Autopilot reset** to confirm the action + +:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false"::: + +Consider using Autopilot reset in the following example scenarios: + +- The device isn't working properly, and you want to reset it without reimaging it +- It's the end of school year and you want to prepare the device for a new school year +- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE + +> [!TIP] +> Consider that the end user will **not** go through OOBE, and the association of the user to the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode). + +## Wiping and deleting a device + +There are scenarios that require a device to be deleted from your tenant, for example: + +- The device is lost or stolen +- It's the end of the life of the device +- The device has been replaced with a new device or has its motherboard replaced + +> [!IMPORTANT] +> The following actions should only be performed for devices that are no longer going to be used in your tenant. + + To completely remove a device, you need to perform the following actions: + +1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1] +1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2] +1. Delete the device from Azure Active Directory using [these steps][MEM-3] + +## Autopilot considerations for a motherboard replacement scenario + +Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process: + +1. Deregister the device from Autopilot +1. Replace the motherboard +1. Capture a new device ID (4K HH) +1. Re-register the device with Autopilot + > [!IMPORTANT] + > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management. +1. Reset the device +1. Return the device + +For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4]. + + +[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal +[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal +[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal +[MEM-4]: /mem/autopilot/autopilot-mbr diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md new file mode 100644 index 0000000000..c134a1a846 --- /dev/null +++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md @@ -0,0 +1,179 @@ +--- +title: Set up Azure Active Directory +description: How to create and prepare your Azure AD tenant for an education environment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +#appliesto: +--- + +# Set up Azure Active Directory + +The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school. + +Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms. + +In this section you will: +> [!div class="checklist"] +> * Set up a Microsoft 365 Education tenant +> * Add users, create groups, and assign licenses +> * Configure school branding +> * Enable bulk enrollment + +## Create a Microsoft 365 tenant + +If you don't already have a Microsoft 365 tenant, you'll need to create one. + +For more information, see [Create your Office 365 tenant account][M365-1] + +> [!TIP] +> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try this interactive demo. +### Explore the Microsoft 365 admin center + +The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant). + +From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others: + +:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true"::: + +For more information, see [Overview of the Microsoft 365 admin center][M365-2]. + +> [!NOTE] +> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant. + +## Add users, create groups, and assign licenses + +With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above. + +> [!NOTE] +> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Azure Active Directory sync](#azure-active-directory-sync) below. + +### School Data Sync + +School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes. + +For more information, see [Overview of School Data Sync][SDS-1]. + +> [!TIP] +> To learn more and practice with School Data Sync, follow the Microsoft School Data Sync demo, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant. + +> [!NOTE] +> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [O365-EDU-Tools GitHub site](https://github.com/OfficeDev/O365-EDU-Tools). +> +> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment. + +### Azure Active Directory sync + +To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including: + +- [Password hash synchronization][AAD-1] +- [Pass-through authentication][AAD-2] +- [Federated authentication][AAD-3] + +For more information, see [Set up directory synchronization for Microsoft 365][O365-1]. + +### Create users manually + +In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center. + +There are two options for adding users manually, either individually or in bulk: + +1. To add students and teachers as users in Microsoft 365 Education *individually*: + - Sign in to the Microsoft Entra admin center + - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user** + For more information, see [Add users and assign licenses at the same time][M365-3]. +1. To add *multiple* users to Microsoft 365 Education: + - Sign in to the Microsoft Entra admin center + - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create** + +For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4]. +### Create groups + +Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group** +1. On the **New group** page, select **Group type** > **Security** +1. Provide a group name and add members, as needed +1. Select **Next** + +For more information, see [Create a group in the Microsoft 365 admin center][M365-5]. + +### Assign licenses + +The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed. + +To assign a license to a group: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses** +1. Select the required products that you want to assign licenses for > **Assign** +1. Add the groups to which the licenses should be assigned + + :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png"::: + +For more information, see [Group-based licensing using Azure AD admin center][AAD-4]. + +## Configure school branding + +Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience. + +To configure your school's branding: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding** +1. You can specify brand settings like background image, logo, username hint and a sign-in page text + :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png"::: +1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties** +1. In the **Name** field, enter the school district or organization's name > **Save** + :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png"::: + +For more information, see [Add branding to your directory][AAD-5]. + +## Enable bulk enrollment + +If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant. + +To allow provisioning packages to complete the Azure AD Join process: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Devices** > **Device Settings** +1. Under **Users may join devices to Azure AD**, select **All** + > [!NOTE] + > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users. +1. Select Save + :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png"::: + +________________________________________________________ + +## Next steps + +With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune. + +> [!div class="nextstepaction"] +> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md) + + + +[AAD-1]: /azure/active-directory/hybrid/whatis-phs +[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta +[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis +[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign +[AAD-5]: /azure/active-directory/fundamentals/customize-branding + +[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant +[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview +[M365-3]: /microsoft-365/admin/add-users/add-users +[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time +[M365-5]: /microsoft-365/admin/create-groups/create-groups + +[O365-1]: /office365/enterprise/set-up-directory-synchronization + +[SDS-1]: /schooldatasync/overview-of-school-data-sync diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md new file mode 100644 index 0000000000..ebd9cc6e9a --- /dev/null +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -0,0 +1,104 @@ +--- +title: Set up device management +description: How to configure the Intune service and set up the environment for education. +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +#appliesto: +--- + +# Set up Microsoft Intune + +Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale. + +Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments. + +:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true"::: + +**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year. + +For more information, see [Intune for Education documentation][INT-1]. + +In this section you will: +> [!div class="checklist"] +> * Review Intune's licensing prerequisites +> * Configure the Intune service for education devices + +## Prerequisites + +Before configuring settings with Intune for Education, consider the following prerequisites: + +- **Intune subscription.** Microsoft Intune is licensed in three ways: + - As a standalone service + - As part of [Enterprise Mobility + Security][MSFT-1] + - As part of a [Microsoft 365 Education subscription][MSFT-2] +- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS + +For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*. + +## Configure the Intune service for education devices + +The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts. + +### Configure enrollment restrictions + +With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school. + +To block personally owned Windows devices from enrolling: + +1. Sign in to the Microsoft Endpoint Manager admin center +1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions** +1. Select the **Windows restrictions** tab +1. Select **Create restriction** +1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next** +1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next** + :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true"::: +1. Optionally, on the **Scope tags** page, add scope tags > **Next** +1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next** +1. On the **Review + create** page, select **Create** to save the restriction + +For more information, see [Create a device platform restriction][MEM-2]. + +### Disable Windows Hello for Business + +Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled. +It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices. +To disable Windows Hello for Business at the tenant level: + +1. Sign in to the Microsoft Endpoint Manager admin center +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Ensure that **Configure Windows Hello for Business** is set to **disabled** +1. Select **Save** + +:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center" border="true"::: + +For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. + +________________________________________________________ + +## Next steps + +With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices. + +> [!div class="nextstepaction"] +> [Next: Configure devices >](configure-devices-overview.md) + + + +[MEM-1]: /mem/intune/fundamentals/licenses +[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set +[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy + +[INT-1]: /intune-education/what-is-intune-for-education + +[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security +[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education +[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml new file mode 100644 index 0000000000..294e70dc20 --- /dev/null +++ b/education/windows/tutorial-school-deployment/toc.yml @@ -0,0 +1,38 @@ +items: + - name: Introduction + href: index.md + - name: 1. Prepare your tenant + items: + - name: Set up Azure Active Directory + href: set-up-azure-ad.md + - name: Set up Microsoft Intune + href: set-up-microsoft-intune.md + - name: 2. Configure settings and applications + items: + - name: Overview + href: configure-devices-overview.md + - name: Configure policies + href: configure-device-settings.md + - name: Configure applications + href: configure-device-apps.md + - name: 3. Deploy devices + items: + - name: Overview + href: enroll-overview.md + - name: Enroll devices via Azure AD join + href: enroll-aadj.md + - name: Enroll devices with provisioning packages + href: enroll-package.md + - name: Enroll devices with Windows Autopilot + href: enroll-autopilot.md + - name: 4. Manage devices + items: + - name: Overview + href: manage-overview.md + - name: Management functionalities for Surface devices + href: manage-surface-devices.md + - name: Reset and wipe devices + href: reset-wipe.md + - name: 5. Troubleshoot and get help + href: troubleshoot-overview.md + diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md new file mode 100644 index 0000000000..9b4a442ee2 --- /dev/null +++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md @@ -0,0 +1,68 @@ +--- +title: Troubleshoot Windows devices +description: How to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide) +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Troubleshoot Windows devices + +Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices. +Here's a collection of resources to help you troubleshoot Windows devices managed by Intune: + +- [Troubleshooting device enrollment in Intune][MEM-2] +- [Troubleshooting Windows Autopilot][MEM-9] +- [Troubleshoot Windows Wi-Fi profiles][MEM-6] +- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5] +- [Troubleshooting BitLocker with the Intune encryption report][MEM-4] +- [Troubleshooting CSP custom settings][MEM-8] +- [Troubleshooting Win32 app installations with Intune][MEM-7] +- [Troubleshooting device actions in Intune][MEM-3] +- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user + :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true"::: + +## How to contact Microsoft Support + +Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop. + +Follow these steps to obtain support in Microsoft Endpoint Manager: + +- Sign in to the Microsoft Endpoint Manager admin center +- Select **Troubleshooting + support** > **Help and support** + :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png"::: +- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365 +- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests* +- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like: + - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution + - View insights: find links to documentation that provides context and background specific to the product area or actions you've described + - Recommended articles: browse suggested troubleshooting topics and other content related to your issue +- If needed, use the *Contact support* pane to file an online support ticket + > [!IMPORTANT] + > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue. +- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review + +For more information, see [Microsoft Endpoint Manager support page][MEM-1] + + +[MEM-1]: /mem/get-support +[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune +[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions +[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center +[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune +[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles +[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install +[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings +[MEM-9]: /mem/autopilot/troubleshooting +[MEM-10]: /mem/intune/remote-actions/collect-diagnostics diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ca36e12e5a..958e32ad29 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -2,18 +2,20 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/23/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Use the Set up School PCs app IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 5a247f51f3..32691a8669 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -1,25 +1,22 @@ --- title: What is Windows 11 SE description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education. -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: aczechowski -ms.author: aaroncz -manager: dougeby +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -ms.localizationpriority: medium -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 SE --- # Windows 11 SE for Education -**Applies to**: - -- Windows 11 SE -- Microsoft Intune for Education - Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: @@ -56,11 +53,11 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |FortiClient |7.0.1.0083 |Win32 |Fortinet| |Free NaturalReader |16.1.2 |Win32 |Natural Soft| |GoGuardian |1.4.4 |Win32 |GoGuardian| -|Google Chrome |100.0.4896.127|Win32 |Google| +|Google Chrome |102.0.5005.115|Win32 |Google| |Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education| |Immunet |7.5.0.20795 |Win32 |Immunet| |JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific| -|Kite Student Portal |8.0.1 |Win32 |Dynamic Learning Maps| +|Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps| |Kortext |2.3.433.0 |Store |Kortext| |Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems| |LanSchool |9.1.0.46 |Win32 |Stoneware| @@ -75,15 +72,14 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |NonVisual Desktop Access |2021.3.1 |Win32 |NV Access| |NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA| |Pearson TestNav |1.10.2.0 |Store |Pearson| -|Questar Secure Browser |4.8.3.376 |Win32 |Questar| +|Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc| |ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.| |Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft| |Remote Help |3.8.0.12 |Win32 |Microsoft| |Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus| |Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser| |Secure Browser |14.0.0 |Win32 |Cambium Development| -|Secure Browser |4.8.3.376 |Win32 |Questar, Inc| -|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud| +|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud| |SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access| |Zoom |5.9.1 (2581)|Win32 |Zoom| |ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific| diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index b2b9df5de8..e654aff272 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -1,25 +1,22 @@ --- title: Windows 11 SE settings list description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change. -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: aczechowski -ms.author: aaroncz -manager: dougeby +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -ms.localizationpriority: medium -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 SE --- # Windows 11 SE for Education settings list -**Applies to**: - -- Windows 11 SE -- Microsoft Intune for Education - Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 759d485046..172f1e3c6c 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -2,23 +2,22 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Windows 10 editions for education customers -**Applies to:** - -- Windows 10 - Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). @@ -64,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https: ## Related topics - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) -- [Windows deployment for education](./index.md) +- [Windows deployment for education](./index.yml) - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths) - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10) - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client) diff --git a/gdpr/TOC.yml b/gdpr/TOC.yml deleted file mode 100644 index 981fe6d622..0000000000 --- a/gdpr/TOC.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Index - href: index.md diff --git a/gdpr/docfx.json b/gdpr/docfx.json index eaa6eba4eb..d786f46f58 100644 --- a/gdpr/docfx.json +++ b/gdpr/docfx.json @@ -36,7 +36,7 @@ "ms.author": "lizross", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "contributors_to_exclude": [ "rjagiewich", "traya1", diff --git a/gdpr/index.md b/gdpr/index.md deleted file mode 100644 index 6d4bf54dc0..0000000000 --- a/gdpr/index.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -ms.date: 09/21/2017 ---- -# placeholder \ No newline at end of file diff --git a/images/sc-image402.png b/images/sc-image402.png deleted file mode 100644 index 8bfe73fd87..0000000000 Binary files a/images/sc-image402.png and /dev/null differ diff --git a/mdop/docfx.json b/mdop/docfx.json index dfa58fa007..6ff865c683 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -36,7 +36,7 @@ "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.mdop", diff --git a/smb/TOC.yml b/smb/TOC.yml deleted file mode 100644 index 45500dc1bc..0000000000 --- a/smb/TOC.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Windows 10 for SMB - href: index.md - items: - - name: "Get started: Deploy and manage a full cloud IT solution for your business" - href: cloud-mode-business-setup.md diff --git a/smb/breadcrumb/toc.yml b/smb/breadcrumb/toc.yml deleted file mode 100644 index 317dcb4c3b..0000000000 --- a/smb/breadcrumb/toc.yml +++ /dev/null @@ -1,12 +0,0 @@ -items: -- name: Docs - tocHref: / - topicHref: / - items: - - name: Windows - tocHref: /windows - topicHref: /windows/resources/ - items: - - name: SMB - tocHref: /windows/smb - topicHref: /windows/smb/index \ No newline at end of file diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md deleted file mode 100644 index 729c76f598..0000000000 --- a/smb/cloud-mode-business-setup.md +++ /dev/null @@ -1,590 +0,0 @@ ---- -title: Deploy and manage a full cloud IT solution for your business -description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. -keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 -ms.prod: w10 -ms.technology: -ms.author: eravena -audience: itpro -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: smb -author: eavena -ms.reviewer: -manager: dansimp -ms.localizationpriority: medium -ms.topic: conceptual ---- - -# Get started: Deploy and manage a full cloud IT solution for your business - -![Learn how to set up a full cloud infrastructure for your business.](images/business-cloud-mode.png) - -**Applies to:** - -- Microsoft 365 Business Standard, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10 - -Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools? - -In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Microsoft 365 Business Standard, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to: -- Acquire a Microsoft 365 for business domain -- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant -- Set up Microsoft Store for Business and manage app deployment and sync with Intune -- Add users and groups in Azure AD and Intune -- Create policies and app deployment rules -- Log in as a user and start using your Windows device - -Go to [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) to learn more about pricing and purchasing options for your business. - -## Prerequisites - -Here's a few things to keep in mind before you get started: - -- You'll need a registered domain to successfully go through the walkthrough. - - If you already own a domain, you can add this during the Office 365 setup. - - If you don't already own a domain, you can purchase a domain from the Microsoft 365 admin center. This walkthrough includes the steps. -- You'll need an email address to create your Office 365 tenant. -- We recommend that you use Internet Explorer for the entire walkthrough. Right select on Internet Explorer > **Start InPrivate Browsing**. - -## 1. Set up your cloud infrastructure -To set up a cloud infrastructure for your organization, follow the steps in this section. - -### 1.1 Set up Office 365 for business - -See [Microsoft 365 admin center for business](/microsoft-365/admin) and [Microsoft 365 resources for nonprofits](https://www.microsoft.com/nonprofits/microsoft-365) to learn more about the setup steps for businesses and nonprofits who have Office 365. You can learn how to: -- Plan your setup -- Create Office 365 accounts and how to add your domain. -- Install Office - -To set up your Microsoft 365 for business tenant, see [Get Started with Microsoft 365 for business](/microsoft-365/business-video/what-is-microsoft-365). - -If you're new at setting up Office 365, and you'd like to see how it's done, you can follow these steps to get started: - -1. Go to [Try or buy a Microsoft 365 for business subscription](/microsoft-365/commerce/try-or-buy-microsoft-365). In this walkthrough, we'll select **Try now**. - - **Figure 1** - Try or buy Office 365 - - ![Office 365 for business sign up.](images/office365_tryorbuy_now.png) - -2. Fill out the sign up form and provide information about you and your company. -3. Create a user ID and password to use to sign into your account. - - This step creates an `onmicrosoft.com` email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into [https://portal.office.com](https://portal.office.com) (the admin portal). - -4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code. -5. Select **You're ready to go...** which will take you to the Microsoft 365 admin center. - - > [!NOTE] - > In the Microsoft 365 admin center, icons that are greyed out are still installing. - - **Figure 2** - Microsoft 365 admin center - - :::image type="content" alt-text="Opens the Microsoft 365 admin center." source="images/office365_portal.png"::: - - -6. Select the **Admin** tile to go to the admin center. -7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup. - - This step can take up to a half hour to complete. - - **Figure 3** - Admin center - - :::image type="content" alt-text="Complete the Office 365 setup in the Microsoft 365 admin center." source="images/office365_admin_portal.png"::: - - -8. Go back to the [admin center](https://portal.office.com/adminportal/home#/homepage) to add or buy a domain. - 1. Select the **Domains** option. - - **Figure 4** - Option to add or buy a domain - - :::image type="content" alt-text="Add or buy a domain in admin center." source="images/office365_buy_domain.png"::: - - - 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as `fabrikamdesign.onmicrosoft.com`. - - **Figure 5** - Microsoft-provided domain - - :::image type="content" alt-text="Microsoft-provided domain." source="images/office365_ms_provided_domain.png"::: - - - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. - - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. - - Once you've added your domain, you'll see it listed in addition to the Microsoft-provided onmicrosoft.com domain. - - **Figure 6** - Domains - - :::image type="content" alt-text="Verify your domains in the admin center." source="images/office365_additional_domain.png"::: - -### 1.2 Add users and assign product licenses -Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center. - -When adding users, you can also assign admin privileges to certain users in your team. You'll also want to assign **Product licenses** to each user so that subscriptions can be assigned to the person. - -**To add users and assign product licenses** - -1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Users > Active users**. - - **Figure 7** - Add users - - :::image type="content" alt-text="Add Office 365 users." source="images/office365_users.png"::: - -2. In the **Home > Active users** page, add users individually or in bulk. - - To add users one at a time, select **+ Add a user**. - - If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users). - - **Figure 8** - Add an individual user - - :::image type="content" alt-text="Add an individual user." source="images/office365_add_individual_user.png"::: - - - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users. - - The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users). Once you've added all the users, don't forget to assign **Product licenses** to the new users. - - **Figure 9** - Import multiple users - - :::image type="content" alt-text="Import multiple users." source="images/office365_import_multiple_users.png"::: - -3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them. - - **Figure 10** - List of active users - - :::image type="content" alt-text="Verify users and assigned product licenses." source="images/o365_active_users.png"::: - -### 1.3 Add Microsoft Intune -Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see [Microsoft Intune is an MDM and MAM provider](/mem/intune/fundamentals/what-is-intune). - -**To add Microsoft Intune to your tenant** - -1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Billing > Purchase services**. -2. In the **Home > Purchase services** screen, search for **Microsoft Intune**. Hover over **Microsoft Intune** to see the options to start a free 30-day trial or to buy now. -3. Confirm your order to enable access to Microsoft Intune. -4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**. - - **Figure 11** - Assign Intune licenses - - :::image type="content" alt-text="Assign Microsoft Intune licenses to users." source="images/o365_assign_intune_license.png"::: - -5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again. -6. Select **Intune**. This step opens the Endpoint Manager admin center. - - **Figure 12** - Microsoft Intune management portal - - :::image type="content" alt-text="Microsoft Intune management portal." source="images/intune_portal_home.png"::: - -Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution). - -### 1.4 Add Azure AD to your domain -Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune. - -**To add Azure AD to your domain** - -1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Admin centers > Azure AD**. - - > [!NOTE] - > You will need Azure AD Premium to configure automatic MDM enrollment with Intune. - -2. If you have not signed up for Azure AD before, you will see the following message. To proceed with the rest of the walkthrough, you need to activate an Azure subscription. - - **Figure 13** - Access to Azure AD is not available - - :::image type="content" alt-text="Access to Azure AD not available." source="images/azure_ad_access_not_available.png"::: - -3. From the error message, select the country/region for your business. The region should match with the location you specified when you signed up for Office 365. -4. Select **Azure subscription**. This step will take you to a free trial sign up screen. - - **Figure 14** - Sign up for Microsoft Azure - - :::image type="content" alt-text="Sign up for Microsoft Azure." source="images/azure_ad_sign_up_screen.png"::: - -5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**. -6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**. - - **Figure 15** - Start managing your Azure subscription - - :::image type="content" alt-text="Start managing your Azure subscription." source="images/azure_ad_successful_signup.png"::: - - This step will take you to the [Microsoft Azure portal](https://portal.azure.com). - -### 1.5 Add groups in Azure AD -This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see [Managing access to resources with Azure Active Directory groups](/azure/active-directory/active-directory-manage-groups. - -To add Azure AD group(s), use the [Microsoft Azure portal](https://portal.azure.com). See [Managing groups in Azure Active Directory](/azure/active-directory/active-directory-accessmanagement-manage-groups) for more information about managing groups. - -**To add groups in Azure AD** - -1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node, you will see a screen informing you that your directory is ready for use. - - Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory. - - **Figure 16** - Azure first sign-in screen - - :::image type="content" alt-text="Select Azure AD." source="images/azure_portal_classic_configure_directory.png"::: - -2. Select the directory (such as Fabrikam Design) to go to the directory's home page. - - **Figure 17** - Directory home page - - :::image type="content" alt-text="Directory home page." source="images/azure_portal_classic_directory_ready.png"::: - -3. From the menu options on top, select **Groups**. - - **Figure 18** - Azure AD groups - - :::image type="content" alt-text="Add groups in Azure AD." source="images/azure_portal_classic_groups.png"::: - -4. Select **Add a group** (from the top) or **Add group** at the bottom. -5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list. - - **Figure 19** - Newly added group in Azure AD - - :::image type="content" alt-text="Verify the new group appears on the list." source="images/azure_portal_classic_all_users_group.png"::: - -6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes. - - The members that were added to the group will appear on the list. - - **Figure 20** - Members in the new group - - :::image type="content" alt-text="Members added to the new group." source="images/azure_portal_classic_members_added.png"::: - -7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on. - -### 1.6 Configure automatic MDM enrollment with Intune -Now that you have Azure AD Premium and have it properly configured, you can configure automatic MDM enrollment with Intune, which allows users to enroll their Windows devices into Intune management, join their devices directly to Azure AD, and get access to Office 365 resources after sign in. - -You can read the [Windows 10, Azure AD and Microsoft Intune blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/) to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough. - -> [!IMPORTANT] -> We will use the classic Azure portal instead of the new portal to configure automatic MDM enrollment with Intune. - -**To enable automatic MDM enrollment** - -1. In the Azure portal, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options. - - The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list. - - **Figure 21** - List of applications for your company - - :::image type="content" alt-text="List of applications for your company." source="images/azure_portal_classic_applications.png"::: - -2. Select **Microsoft Intune** to configure the application. -3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune. - - **Figure 22** - Configure Microsoft Intune in Azure - - :::image type="content" alt-text="Configure Microsoft Intune in Azure." source="images/azure_portal_classic_configure_intune_app.png"::: - -4. In the Microsoft Intune configuration page: - - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance. - - > [!NOTE] - > The URLs are automatically configured for your Azure AD tenant so you don't need to change them. - - - In the **Manage devices for these users** section, you can specify which users' devices should be managed by Intune. - - **All** will enable all users' Windows 10 devices to be managed by Intune. - - **Groups** let you select whether only users that belong to a specific group will have their devices managed by Intune. - - > [!NOTE] - > In this step, choose the group that contains all the users in your organization as members. This is the **All** group. - -5. After you've chosen how to manage devices for users, select **Save** to enable automatic MDM enrollment with Intune. - - **Figure 23** - Configure Microsoft Intune - - :::image type="content" alt-text="Configure automatic MDM enrollment with Intune." source="images/azure_portal_classic_configure_intune_mdm_enrollment.png"::: - -### 1.7 Configure Microsoft Store for Business for app distribution -Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune. - -In this part of the walkthrough, use the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and [Microsoft Store for Business](https://businessstore.microsoft.com/Store/Apps). - -**To associate your Store account with Intune and configure synchronization** - -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. - - **Figure 24** - Mobile device management - - :::image type="content" alt-text="Set up mobile device management in Intune." source="images/intune_admin_mdm_configure.png"::: - -3. Sign into [Microsoft Store for Business](https://businessstore.microsoft.com/Store/Apps) using the same tenant account that you used to sign into Intune. -4. Accept the EULA. -5. In the Store portal, select **Settings > Management tools** to go to the management tools page. -6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business. - - **Figure 25** - Activate Intune as the Store management tool - - :::image type="content" alt-text="Activate Intune from the Store portal." source="images/wsfb_management_tools_activate.png"::: - -7. Go back to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**. -8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune. - - **Figure 26** - Configure Store for Business sync in Intune - - :::image type="content" alt-text="Configure Store for Business sync in Intune." source="images/intune_admin_mdm_store_sync.png"::: - -9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**. - - **Figure 27** - Enable Microsoft Store for Business sync in Intune - - :::image type="content" alt-text="Enable Store for Business sync in Intune." source="images/intune_configure_store_app_sync_dialog.png"::: - - The **Microsoft Store for Business** page will refresh and it will show the details from the sync. - -**To buy apps from the Store** - -In your [Microsoft Store for Business portal](https://businessstore.microsoft.com/Store/Apps), you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory: -- Sway -- OneNote -- PowerPoint Mobile -- Excel Mobile -- Word Mobile - -In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune. - -In the following example, we'll show you how to buy apps through the Microsoft Store for Business and then make sure the apps appear on Intune. - -**Example 1 - Add other apps like Reader and InstaNote** - -1. In the [Microsoft Store for Business portal](https://businessstore.microsoft.com/Store/Apps), click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list. - - **Figure 28** - Shop for Store apps - - :::image type="content" alt-text="Shop for Store apps." source="images/wsfb_shop_microsoft_apps.png"::: - -2. Click to select an app, such as **Reader**. This opens the app page. -3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page. -4. In the app's Store page, click **Add to private store**. -5. Next, search for another app by name (such as **InstaNote**) or repeat steps 1-4 for the **InstaNote** app. -6. Go to **Manage > Inventory** and verify that the apps you purchased appear in your inventory. - - **Figure 29** - App inventory shows the purchased apps - - :::image type="content" alt-text="Confirm that your inventory shows purchased apps." source="images/wsfb_manage_inventory_newapps.png"::: - - > [!NOTE] - > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync). - -**To sync recently purchased apps** - -If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync. - -1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Admin > Mobile Device Management > Windows > Store for Business**. -2. In the **Microsoft Store for Business** page, click **Sync now** to force a sync. - - **Figure 30** - Force a sync in Intune - - :::image type="content" alt-text="Force a sync in Intune." source="images/intune_admin_mdm_forcesync.png"::: - -**To view purchased apps** -- In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly. - -**To add more apps** -- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) for more info on how to do this. - -## 2. Set up devices - -### 2.1 Set up new devices -To set up new Windows devices, go through the Windows initial device setup or first-run experience to configure your device. - -**To set up a device** -1. Go through the Windows device setup experience. On a new or reset device, this starts with the **Hi there** screen on devices running Windows 10, version 1607 (Anniversary Update). The setup lets you: - - Fill in the details in the **Hi there** screen including your home country/region, preferred language, keyboard layout, and timezone - - Accept the EULA - - Customize the setup or use Express settings - - **Figure 31** - First screen in Windows device setup - - :::image type="content" alt-text="First screen in Windows device setup." source="images/win10_hithere.png"::: - - > [!NOTE] - > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection. - -2. In the **Who owns this PC?** screen, select **My work or school owns it** and click **Next**. -3. In the **Choose how you'll connect** screen, select **Join Azure Active Directory** and click **Next**. - - **Figure 32** - Choose how you'll connect your Windows device - - :::image type="content" alt-text="Choose how you'll connect the Windows device." source="images/win10_choosehowtoconnect.png"::: - -4. In the **Let's get you signed in** screen, sign in using a user account you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts. - - **Figure 33** - Sign in using one of the accounts you added - - :::image type="content" alt-text="Sign in using one of the accounts you added." source="images/win10_signin_admin_account.png"::: - -5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup. - - Windows will continue with setup and you may be asked to set up a PIN for Windows Hello if your organization has it enabled. - -### 2.2 Verify correct device setup -Verify that the device is set up correctly and boots without any issues. - -**To verify that the device was set up correctly** -1. Click on the **Start** menu and select some of the options to make sure everything opens properly. -2. Confirm that the Store and built-in apps are working. - -### 2.3 Verify the device is Azure AD joined -In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune. - -**To verify if the device is joined to Azure AD** -1. Check the device name on your PC. On your Windows PC, select **Settings > System > About** and then check **PC name**. - - **Figure 34** - Check the PC name on your device - - :::image type="content" alt-text="Check the PC name on your device." source="images/win10_settings_pcname.png"::: - -2. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -3. Select **Groups** and then go to **Devices**. -4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. - - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section. - - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**. - - Check the **AAD Registered** column and confirm that it says **Yes**. - - **Figure 35** - Check that the device appears in Intune - - :::image type="content" alt-text="Check that the device appears in Intune." source="images/intune_groups_devices_list.png"::: - -## 3. Manage device settings and features -You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/mem/intune/configuration/device-profiles). - -In this section, we'll show you how to reconfigure app deployment settings and add a new policy that will disable the camera for the Intune-managed devices and turn off Windows Hello and PINs during setup. - -### 3.1 Reconfigure app deployment settings -In some cases, if an app is missing from the device, you need to reconfigure the deployment settings for the app and set the app to require installation as soon as possible. - -**To reconfigure app deployment settings** -1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps** and go to **Apps > Volume-Purchased Apps**. -2. Select the app, right-click, then select **Manage Deployment...**. -3. Select the group(s) whose apps will be managed, and then click **Add** to add the group. -4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app. -5. For each group that you selected, set **Approval** to **Required Install**. This step automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**. - - **Figure 36** - Reconfigure an app's deployment setting in Intune - - :::image type="content" alt-text="Reconfigure app deployment settings in Intune." source="images/intune_apps_deploymentaction.png"::: - -6. Click **Finish**. -7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible. -8. Verify that the app shows up on the device using the following steps: - - Make sure you're logged in to the Windows device. - - Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section. - - **Figure 37** - Confirm that additional apps were deployed to the device - - :::image type="content" alt-text="Confirm that additional apps were deployed to the device." source="images/win10_deploy_apps_immediately.png"::: - -### 3.2 Configure other settings in Intune - -**To disable the camera** -1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices > Configuration Policies**. -2. In the **Policies** window, click **Add** to create a new policy. -3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**. -4. On the **Create Policy** page, select **Device Capabilities**. -5. In the **General** section, add a name and description for this policy. For example: - - **Name**: Test Policy - Disable Camera - - **Description**: Disables the camera -6. Scroll down to the **Hardware** section, find **Allow camera is not configured**, toggle the button so that it changes to **Allow camera** and choose **No** from the dropdown list. - - **Figure 38** - Add a configuration policy - - :::image type="content" alt-text="Add a configuration policy." source="images/intune_policy_disablecamera.png"::: - -7. Click **Save Policy**. A confirmation window will pop up. -8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now. -9. On the **Management Deployment** window, select the user group(s) or device group(s) that you want to apply the policy to (for example, **All Users**), and then click **Add**. -10. Click **OK** to close the window. - - **Figure 39** - The new policy should appear in the **Policies** list. - - :::image type="content" alt-text="New policy appears on the list." source="images/intune_policies_newpolicy_deployed.png"::: - -**To turn off Windows Hello and PINs during device setup** -1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Go to **Mobile Device Management > Windows > Windows Hello for Business**. -3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**. - - **Figure 40** - Policy to disable Windows Hello for Business - - :::image type="content" alt-text="Disable Windows Hello for Business." source="images/intune_policy_disable_windowshello.png"::: - -4. Click **Save**. - - > [!NOTE] - > This policy is a tenant-wide Intune setting. It disables Windows Hello and required PINs during setup for all enrolled devices in a tenant. - -To test whether these policies get successfully deployed to your tenant, go through [4. Add more devices and users](#4-add-more-devices-and-users) and setup another Windows device and login as one of the users. - -## 4. Add more devices and users -After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more devices or users and you want the same policies to apply to these new devices and users. In this section, we'll show you how to do this. - -### 4.1 Connect other devices to your cloud infrastructure -Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [2. Set up devices](#2-set-up-devices). - -For other devices, such as those personally-owned by employees who need to connect to the corporate network to access corporate resources (BYOD), you can follow the steps in this section to get these devices connected. - - > [!NOTE] - > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device. - -**To connect a personal device to your work or school** -1. On your Windows device, go to **Settings > Accounts**. -2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page. -3. In the **Set up a work or school account** window, click **Join this device to Azure Active Directory** to add an Azure AD account to the device. - - **Figure 41** - Add an Azure AD account to the device - - :::image type="content" alt-text="Add an Azure AD account to the device." source="images/win10_add_new_user_join_aad.png"::: - -4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user. - - **Figure 42** - Enter the account details - - :::image type="content" alt-text="Enter the account details." source="images/win10_add_new_user_account_aadwork.png"::: - -5. You will be asked to update the password so enter a new password. -6. Verify the details to make sure you're connecting to the right organization and then click **Join**. - - **Figure 43** - Make sure this is your organization - - :::image type="content" alt-text="Make sure this is your organization." source="images/win10_confirm_organization_details.png"::: - -7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**. - - **Figure 44** - Confirmation that the device is now connected - - :::image type="content" alt-text="Confirmation that the device is now connected." source="images/win10_confirm_device_connected_to_org.png"::: - -8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources. - - **Figure 45** - Device is now enrolled in Azure AD - - :::image type="content" alt-text="Device is enrolled in Azure AD." source="images/win10_device_enrolled_in_aad.png"::: - -9. You can confirm that the new device and user are showing up as Intune-managed by going to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. - -### 4.2 Add a new user -You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune. - -See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and verify that the same users were added to the Intune groups as well. - -## Get more info - -### For IT admins -To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links: -- [Set up Office 365 for business](/microsoft-365/admin/setup) -- Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/) -- More info about managing devices, apps, data, troubleshooting, and more in the [Intune documentation](/mem/intune/) -- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/). -- Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/) - -### For information workers -Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info: - -- [Office Help & Training](https://support.microsoft.com/office) -- [Windows help & learning](https://support.microsoft.com/windows) - -## Related topics - -- [Windows for business](https://www.microsoft.com/windows/business) -- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) diff --git a/smb/images/azure_ad_access_not_available.PNG b/smb/images/azure_ad_access_not_available.PNG deleted file mode 100644 index 754ff011ea..0000000000 Binary files a/smb/images/azure_ad_access_not_available.PNG and /dev/null differ diff --git a/smb/images/azure_ad_sign_up_screen.PNG b/smb/images/azure_ad_sign_up_screen.PNG deleted file mode 100644 index 3c369cfd5b..0000000000 Binary files a/smb/images/azure_ad_sign_up_screen.PNG and /dev/null differ diff --git a/smb/images/azure_ad_successful_signup.PNG b/smb/images/azure_ad_successful_signup.PNG deleted file mode 100644 index 197744f309..0000000000 Binary files a/smb/images/azure_ad_successful_signup.PNG and /dev/null differ diff --git a/smb/images/azure_portal_azure_ad_management.PNG b/smb/images/azure_portal_azure_ad_management.PNG deleted file mode 100644 index 6401aa910b..0000000000 Binary files a/smb/images/azure_portal_azure_ad_management.PNG and /dev/null differ diff --git a/smb/images/azure_portal_azure_ad_management_users_groups.png b/smb/images/azure_portal_azure_ad_management_users_groups.png deleted file mode 100644 index 5010765800..0000000000 Binary files a/smb/images/azure_portal_azure_ad_management_users_groups.png and /dev/null differ diff --git a/smb/images/azure_portal_classic.PNG b/smb/images/azure_portal_classic.PNG deleted file mode 100644 index 15132f7a07..0000000000 Binary files a/smb/images/azure_portal_classic.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_add_group.PNG b/smb/images/azure_portal_classic_add_group.PNG deleted file mode 100644 index 417e9b8a72..0000000000 Binary files a/smb/images/azure_portal_classic_add_group.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_all_users_group.PNG b/smb/images/azure_portal_classic_all_users_group.PNG deleted file mode 100644 index 55988d9c6c..0000000000 Binary files a/smb/images/azure_portal_classic_all_users_group.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_applications.PNG b/smb/images/azure_portal_classic_applications.PNG deleted file mode 100644 index 9c39a28e08..0000000000 Binary files a/smb/images/azure_portal_classic_applications.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_configure_directory.png b/smb/images/azure_portal_classic_configure_directory.png deleted file mode 100644 index 1cece3e84c..0000000000 Binary files a/smb/images/azure_portal_classic_configure_directory.png and /dev/null differ diff --git a/smb/images/azure_portal_classic_configure_intune.PNG b/smb/images/azure_portal_classic_configure_intune.PNG deleted file mode 100644 index 0daddd7e83..0000000000 Binary files a/smb/images/azure_portal_classic_configure_intune.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_configure_intune_app.png b/smb/images/azure_portal_classic_configure_intune_app.png deleted file mode 100644 index 1110714b7c..0000000000 Binary files a/smb/images/azure_portal_classic_configure_intune_app.png and /dev/null differ diff --git a/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG b/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG deleted file mode 100644 index a85a28dd7d..0000000000 Binary files a/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_directory_ready.PNG b/smb/images/azure_portal_classic_directory_ready.PNG deleted file mode 100644 index d627036ca3..0000000000 Binary files a/smb/images/azure_portal_classic_directory_ready.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_groups.PNG b/smb/images/azure_portal_classic_groups.PNG deleted file mode 100644 index a746a0b21b..0000000000 Binary files a/smb/images/azure_portal_classic_groups.PNG and /dev/null differ diff --git a/smb/images/azure_portal_classic_members_added.PNG b/smb/images/azure_portal_classic_members_added.PNG deleted file mode 100644 index 5cb5864330..0000000000 Binary files a/smb/images/azure_portal_classic_members_added.PNG and /dev/null differ diff --git a/smb/images/azure_portal_home.PNG b/smb/images/azure_portal_home.PNG deleted file mode 100644 index 5f0dcf4c5d..0000000000 Binary files a/smb/images/azure_portal_home.PNG and /dev/null differ diff --git a/smb/images/azure_portal_select_azure_ad.png b/smb/images/azure_portal_select_azure_ad.png deleted file mode 100644 index 694d30cbdd..0000000000 Binary files a/smb/images/azure_portal_select_azure_ad.png and /dev/null differ diff --git a/smb/images/business-cloud-mode-graphic.png b/smb/images/business-cloud-mode-graphic.png deleted file mode 100644 index 449b7ca356..0000000000 Binary files a/smb/images/business-cloud-mode-graphic.png and /dev/null differ diff --git a/smb/images/business-cloud-mode.png b/smb/images/business-cloud-mode.png deleted file mode 100644 index f524b42372..0000000000 Binary files a/smb/images/business-cloud-mode.png and /dev/null differ diff --git a/smb/images/deploy.png b/smb/images/deploy.png deleted file mode 100644 index 8fe505f77e..0000000000 Binary files a/smb/images/deploy.png and /dev/null differ diff --git a/smb/images/deploy_art.png b/smb/images/deploy_art.png deleted file mode 100644 index 5f2a6d0978..0000000000 Binary files a/smb/images/deploy_art.png and /dev/null differ diff --git a/smb/images/intune_admin_mdm.PNG b/smb/images/intune_admin_mdm.PNG deleted file mode 100644 index 3b334b27d5..0000000000 Binary files a/smb/images/intune_admin_mdm.PNG and /dev/null differ diff --git a/smb/images/intune_admin_mdm_configure.png b/smb/images/intune_admin_mdm_configure.png deleted file mode 100644 index 0a9cb4b99f..0000000000 Binary files a/smb/images/intune_admin_mdm_configure.png and /dev/null differ diff --git a/smb/images/intune_admin_mdm_forcesync.PNG b/smb/images/intune_admin_mdm_forcesync.PNG deleted file mode 100644 index 96d085a261..0000000000 Binary files a/smb/images/intune_admin_mdm_forcesync.PNG and /dev/null differ diff --git a/smb/images/intune_admin_mdm_store_sync.PNG b/smb/images/intune_admin_mdm_store_sync.PNG deleted file mode 100644 index 3b884371b0..0000000000 Binary files a/smb/images/intune_admin_mdm_store_sync.PNG and /dev/null differ diff --git a/smb/images/intune_apps_deploymentaction.PNG b/smb/images/intune_apps_deploymentaction.PNG deleted file mode 100644 index 0c769017d2..0000000000 Binary files a/smb/images/intune_apps_deploymentaction.PNG and /dev/null differ diff --git a/smb/images/intune_configure_store_app_sync_dialog.PNG b/smb/images/intune_configure_store_app_sync_dialog.PNG deleted file mode 100644 index abb41318f1..0000000000 Binary files a/smb/images/intune_configure_store_app_sync_dialog.PNG and /dev/null differ diff --git a/smb/images/intune_groups_devices_list.PNG b/smb/images/intune_groups_devices_list.PNG deleted file mode 100644 index f571847bc7..0000000000 Binary files a/smb/images/intune_groups_devices_list.PNG and /dev/null differ diff --git a/smb/images/intune_policies_newpolicy_deployed.PNG b/smb/images/intune_policies_newpolicy_deployed.PNG deleted file mode 100644 index 72cb4d5db3..0000000000 Binary files a/smb/images/intune_policies_newpolicy_deployed.PNG and /dev/null differ diff --git a/smb/images/intune_policy_disable_windowshello.PNG b/smb/images/intune_policy_disable_windowshello.PNG deleted file mode 100644 index 2b7300c9ce..0000000000 Binary files a/smb/images/intune_policy_disable_windowshello.PNG and /dev/null differ diff --git a/smb/images/intune_policy_disablecamera.PNG b/smb/images/intune_policy_disablecamera.PNG deleted file mode 100644 index 53fd969c00..0000000000 Binary files a/smb/images/intune_policy_disablecamera.PNG and /dev/null differ diff --git a/smb/images/intune_portal_home.PNG b/smb/images/intune_portal_home.PNG deleted file mode 100644 index b63295fe42..0000000000 Binary files a/smb/images/intune_portal_home.PNG and /dev/null differ diff --git a/smb/images/learn.png b/smb/images/learn.png deleted file mode 100644 index 9e8f87f436..0000000000 Binary files a/smb/images/learn.png and /dev/null differ diff --git a/smb/images/learn_art.png b/smb/images/learn_art.png deleted file mode 100644 index 1170f9ca26..0000000000 Binary files a/smb/images/learn_art.png and /dev/null differ diff --git a/smb/images/o365_active_users.PNG b/smb/images/o365_active_users.PNG deleted file mode 100644 index 8ab381a59d..0000000000 Binary files a/smb/images/o365_active_users.PNG and /dev/null differ diff --git a/smb/images/o365_add_existing_domain.PNG b/smb/images/o365_add_existing_domain.PNG deleted file mode 100644 index e29cdca3f9..0000000000 Binary files a/smb/images/o365_add_existing_domain.PNG and /dev/null differ diff --git a/smb/images/o365_additional_domain.PNG b/smb/images/o365_additional_domain.PNG deleted file mode 100644 index 5682fb15f7..0000000000 Binary files a/smb/images/o365_additional_domain.PNG and /dev/null differ diff --git a/smb/images/o365_admin_portal.PNG b/smb/images/o365_admin_portal.PNG deleted file mode 100644 index cfbf696310..0000000000 Binary files a/smb/images/o365_admin_portal.PNG and /dev/null differ diff --git a/smb/images/o365_assign_intune_license.PNG b/smb/images/o365_assign_intune_license.PNG deleted file mode 100644 index 261f096a98..0000000000 Binary files a/smb/images/o365_assign_intune_license.PNG and /dev/null differ diff --git a/smb/images/o365_domains.PNG b/smb/images/o365_domains.PNG deleted file mode 100644 index ca79f71f54..0000000000 Binary files a/smb/images/o365_domains.PNG and /dev/null differ diff --git a/smb/images/o365_microsoft_provided_domain.PNG b/smb/images/o365_microsoft_provided_domain.PNG deleted file mode 100644 index b2a05eb5a9..0000000000 Binary files a/smb/images/o365_microsoft_provided_domain.PNG and /dev/null differ diff --git a/smb/images/o365_trynow.PNG b/smb/images/o365_trynow.PNG deleted file mode 100644 index 5810f3e0f9..0000000000 Binary files a/smb/images/o365_trynow.PNG and /dev/null differ diff --git a/smb/images/o365_users.PNG b/smb/images/o365_users.PNG deleted file mode 100644 index e0b462a8c5..0000000000 Binary files a/smb/images/o365_users.PNG and /dev/null differ diff --git a/smb/images/office365_add_individual_user.PNG b/smb/images/office365_add_individual_user.PNG deleted file mode 100644 index 87f674fa10..0000000000 Binary files a/smb/images/office365_add_individual_user.PNG and /dev/null differ diff --git a/smb/images/office365_additional_domain.png b/smb/images/office365_additional_domain.png deleted file mode 100644 index 940a090477..0000000000 Binary files a/smb/images/office365_additional_domain.png and /dev/null differ diff --git a/smb/images/office365_admin_center.png b/smb/images/office365_admin_center.png deleted file mode 100644 index 26808fc27c..0000000000 Binary files a/smb/images/office365_admin_center.png and /dev/null differ diff --git a/smb/images/office365_admin_portal.png b/smb/images/office365_admin_portal.png deleted file mode 100644 index fe0f81bda0..0000000000 Binary files a/smb/images/office365_admin_portal.png and /dev/null differ diff --git a/smb/images/office365_buy_domain.png b/smb/images/office365_buy_domain.png deleted file mode 100644 index 51ea9c1e6c..0000000000 Binary files a/smb/images/office365_buy_domain.png and /dev/null differ diff --git a/smb/images/office365_create_userid.png b/smb/images/office365_create_userid.png deleted file mode 100644 index fc3d070841..0000000000 Binary files a/smb/images/office365_create_userid.png and /dev/null differ diff --git a/smb/images/office365_domains.png b/smb/images/office365_domains.png deleted file mode 100644 index 51ea9c1e6c..0000000000 Binary files a/smb/images/office365_domains.png and /dev/null differ diff --git a/smb/images/office365_import_multiple_users.PNG b/smb/images/office365_import_multiple_users.PNG deleted file mode 100644 index c1b05fa2c9..0000000000 Binary files a/smb/images/office365_import_multiple_users.PNG and /dev/null differ diff --git a/smb/images/office365_ms_provided_domain.png b/smb/images/office365_ms_provided_domain.png deleted file mode 100644 index 18479da421..0000000000 Binary files a/smb/images/office365_ms_provided_domain.png and /dev/null differ diff --git a/smb/images/office365_plan_subscription_checkout.png b/smb/images/office365_plan_subscription_checkout.png deleted file mode 100644 index 340336c39e..0000000000 Binary files a/smb/images/office365_plan_subscription_checkout.png and /dev/null differ diff --git a/smb/images/office365_portal.png b/smb/images/office365_portal.png deleted file mode 100644 index f3a23d4a65..0000000000 Binary files a/smb/images/office365_portal.png and /dev/null differ diff --git a/smb/images/office365_signup_page.png b/smb/images/office365_signup_page.png deleted file mode 100644 index ce2de7f034..0000000000 Binary files a/smb/images/office365_signup_page.png and /dev/null differ diff --git a/smb/images/office365_trynow.png b/smb/images/office365_trynow.png deleted file mode 100644 index 72aaeb923a..0000000000 Binary files a/smb/images/office365_trynow.png and /dev/null differ diff --git a/smb/images/office365_tryorbuy_now.png b/smb/images/office365_tryorbuy_now.png deleted file mode 100644 index 760e3a74cc..0000000000 Binary files a/smb/images/office365_tryorbuy_now.png and /dev/null differ diff --git a/smb/images/office365_users.png b/smb/images/office365_users.png deleted file mode 100644 index ec9231de1b..0000000000 Binary files a/smb/images/office365_users.png and /dev/null differ diff --git a/smb/images/smb_portal_banner.png b/smb/images/smb_portal_banner.png deleted file mode 100644 index e38560ab5a..0000000000 Binary files a/smb/images/smb_portal_banner.png and /dev/null differ diff --git a/smb/images/win10_add_new_user_account_aadwork.PNG b/smb/images/win10_add_new_user_account_aadwork.PNG deleted file mode 100644 index 378339b1e9..0000000000 Binary files a/smb/images/win10_add_new_user_account_aadwork.PNG and /dev/null differ diff --git a/smb/images/win10_add_new_user_join_aad.PNG b/smb/images/win10_add_new_user_join_aad.PNG deleted file mode 100644 index 7924250993..0000000000 Binary files a/smb/images/win10_add_new_user_join_aad.PNG and /dev/null differ diff --git a/smb/images/win10_change_your_password.PNG b/smb/images/win10_change_your_password.PNG deleted file mode 100644 index bf9f164290..0000000000 Binary files a/smb/images/win10_change_your_password.PNG and /dev/null differ diff --git a/smb/images/win10_choosehowtoconnect.PNG b/smb/images/win10_choosehowtoconnect.PNG deleted file mode 100644 index 0a561b1913..0000000000 Binary files a/smb/images/win10_choosehowtoconnect.PNG and /dev/null differ diff --git a/smb/images/win10_confirm_device_connected_to_org.PNG b/smb/images/win10_confirm_device_connected_to_org.PNG deleted file mode 100644 index a70849ebe8..0000000000 Binary files a/smb/images/win10_confirm_device_connected_to_org.PNG and /dev/null differ diff --git a/smb/images/win10_confirm_organization_details.PNG b/smb/images/win10_confirm_organization_details.PNG deleted file mode 100644 index 54605d39fe..0000000000 Binary files a/smb/images/win10_confirm_organization_details.PNG and /dev/null differ diff --git a/smb/images/win10_deivce_enrolled_in_aad.PNG b/smb/images/win10_deivce_enrolled_in_aad.PNG deleted file mode 100644 index a2c60c114e..0000000000 Binary files a/smb/images/win10_deivce_enrolled_in_aad.PNG and /dev/null differ diff --git a/smb/images/win10_deploy_apps_immediately.PNG b/smb/images/win10_deploy_apps_immediately.PNG deleted file mode 100644 index 1e63f77939..0000000000 Binary files a/smb/images/win10_deploy_apps_immediately.PNG and /dev/null differ diff --git a/smb/images/win10_device_enrolled_in_aad.png b/smb/images/win10_device_enrolled_in_aad.png deleted file mode 100644 index a2c60c114e..0000000000 Binary files a/smb/images/win10_device_enrolled_in_aad.png and /dev/null differ diff --git a/smb/images/win10_device_setup_complete.PNG b/smb/images/win10_device_setup_complete.PNG deleted file mode 100644 index 454e30a441..0000000000 Binary files a/smb/images/win10_device_setup_complete.PNG and /dev/null differ diff --git a/smb/images/win10_hithere.PNG b/smb/images/win10_hithere.PNG deleted file mode 100644 index b251b8eb7c..0000000000 Binary files a/smb/images/win10_hithere.PNG and /dev/null differ diff --git a/smb/images/win10_settings_pcname.PNG b/smb/images/win10_settings_pcname.PNG deleted file mode 100644 index ff815b0a8a..0000000000 Binary files a/smb/images/win10_settings_pcname.PNG and /dev/null differ diff --git a/smb/images/win10_signin_admin_account.PNG b/smb/images/win10_signin_admin_account.PNG deleted file mode 100644 index e6df613284..0000000000 Binary files a/smb/images/win10_signin_admin_account.PNG and /dev/null differ diff --git a/smb/images/wsfb_account_details.PNG b/smb/images/wsfb_account_details.PNG deleted file mode 100644 index 7a2594ec3f..0000000000 Binary files a/smb/images/wsfb_account_details.PNG and /dev/null differ diff --git a/smb/images/wsfb_account_details_2.PNG b/smb/images/wsfb_account_details_2.PNG deleted file mode 100644 index 7e38f20099..0000000000 Binary files a/smb/images/wsfb_account_details_2.PNG and /dev/null differ diff --git a/smb/images/wsfb_account_signup_saveinfo.PNG b/smb/images/wsfb_account_signup_saveinfo.PNG deleted file mode 100644 index f29280352b..0000000000 Binary files a/smb/images/wsfb_account_signup_saveinfo.PNG and /dev/null differ diff --git a/smb/images/wsfb_manage_inventory_newapps.PNG b/smb/images/wsfb_manage_inventory_newapps.PNG deleted file mode 100644 index 070728fcad..0000000000 Binary files a/smb/images/wsfb_manage_inventory_newapps.PNG and /dev/null differ diff --git a/smb/images/wsfb_management_tools.PNG b/smb/images/wsfb_management_tools.PNG deleted file mode 100644 index 82d11a9a25..0000000000 Binary files a/smb/images/wsfb_management_tools.PNG and /dev/null differ diff --git a/smb/images/wsfb_management_tools_activate.png b/smb/images/wsfb_management_tools_activate.png deleted file mode 100644 index bb2ffd99ad..0000000000 Binary files a/smb/images/wsfb_management_tools_activate.png and /dev/null differ diff --git a/smb/images/wsfb_shop_microsoft_apps.PNG b/smb/images/wsfb_shop_microsoft_apps.PNG deleted file mode 100644 index 562f3fd1e3..0000000000 Binary files a/smb/images/wsfb_shop_microsoft_apps.PNG and /dev/null differ diff --git a/smb/images/wsfb_signup_for_account.PNG b/smb/images/wsfb_signup_for_account.PNG deleted file mode 100644 index d641587c5e..0000000000 Binary files a/smb/images/wsfb_signup_for_account.PNG and /dev/null differ diff --git a/smb/images/wsfb_store_portal.PNG b/smb/images/wsfb_store_portal.PNG deleted file mode 100644 index 03a4ad928e..0000000000 Binary files a/smb/images/wsfb_store_portal.PNG and /dev/null differ diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md index e8f13c7d35..4414b9e00b 100644 --- a/smb/includes/smb-content-updates.md +++ b/smb/includes/smb-content-updates.md @@ -2,9 +2,10 @@ -## Week of December 13, 2021 +## Week of July 18, 2022 | Published On |Topic title | Change | |------|------------|--------| -| 12/14/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified | +| 7/22/2022 | Deploy and manage a full cloud IT solution for your business | removed | +| 7/22/2022 | Windows 10/11 for small to midsize businesses | removed | diff --git a/smb/index.md b/smb/index.md deleted file mode 100644 index fb9fbc6fc9..0000000000 --- a/smb/index.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Windows 10/11 for small to midsize businesses -description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. -keywords: Windows 10, Windows 11, SMB, small business, midsize business, business -ms.prod: w10 -ms.technology: -ms.topic: article -ms.author: dansimp -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: smb -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: itpro ---- - -# Windows 10/11 for Small and Medium Business (SMB) - -![Windows 10 for SMB.](images/smb_portal_banner.png) - -## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn - -**[Windows for business](https://www.microsoft.com/windows/business)** - -Learn how Windows can help your business be more productive, collaborate better, and be more secure. - -**[Bing Pages](https://www.microsoft.com/bing/bing-pages-overview)** - -Use Bing to grow your business and enhance your brand online. - -**[Customer stories](https://customers.microsoft.com/)** - -Read about the latest stories and technology insights. - -**[SMB Blog](https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog)** - -Read about business strategies and collaborations with SMBs. - -**[Business Solutions and Technology](https://www.microsoft.com/store/b/business)** - -Learn more about Microsoft products, or when you're ready to buy products and services to help transform your business. - -## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy - -**[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)** - -Using Microsoft cloud services and tools, it can be easy to deploy and manage a full cloud IT solution for your small to midsize business. - -## Related articles - -- [Windows for business](https://www.microsoft.com/windows/business) -- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 882b7e57ba..9922255c06 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -17,7 +17,7 @@ ms.date: 07/21/2021 # Acquire apps in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). @@ -38,7 +38,7 @@ Some apps are free, and some have a price. Apps can be purchased in the Microsof - Japan Commercial Bureau (JCB) ## Organization info -There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven’t provided it, we’ll ask when you make a purchase. Either way works. Here’s the info you’ll need to provide: +There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven't provided it, we'll ask when you make a purchase. Either way works. Here's the info you'll need to provide: - Legal business address - Payment option (credit card) @@ -73,10 +73,10 @@ People in your org can request license for apps that they need, or that others n 3. Select the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. 5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and select **Next**. -6. If you don’t have a payment method saved in **Billing & payments**, we will prompt you for one. +6. If you don't have a payment method saved in **Billing & payments**, we will prompt you for one. 7. Add your credit card or debit card info, and select **Next**. Your card info is saved as a payment option on **Billing & payments - Payment methods**. -You’ll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information). +You'll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information). Microsoft Store adds the app to your inventory. From **Products & services**, you can: - Distribute the app: add to private store, or assign licenses diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index 2ee659bb6b..01fcc41871 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -20,7 +20,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). @@ -136,11 +136,11 @@ Here's info on some of the errors you might see while working with Autopilot dep | ---------- | ------------------- | | wadp001 | Check your file, or ask your device partner for a complete .csv file. This file is missing Serial Number and Product Id info. | | wadp002 | Check your file, or ask your device partner for updated hardware hash info in the .csv file. Hardware hash info is invalid in the current .csv file. | -| wadp003 | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You’re over the limit! Divide this device data into multiple .csv files. | +| wadp003 | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You're over the limit! Divide this device data into multiple .csv files. | | wadp004 | Try that again. Something happened on our end. Waiting a bit might help. | | wadp005 | Check your .csv file with your device provider. One of the devices on your list has been claimed by another organization. | | wadp006 | Try that again. Something happened on our end. Waiting a bit might help. | | wadp007 | Check the info for this device in your .csv file. The device is already registered in your organization. | | wadp008 | The device does not meet Autopilot Deployment requirements. | -| wadp009 | Check with your device provider for an update .csv file. The current file doesn’t work | +| wadp009 | Check with your device provider for an update .csv file. The current file doesn't work | | wadp010 | Try that again. Something happened on our end. Waiting a bit might help. | \ No newline at end of file diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index d96d350d9d..58ca7bff3e 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -18,72 +18,70 @@ ms.date: 07/21/2021 # Add unsigned app to code integrity policy > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > -> Following are the major changes we are making to the service: +> Following are the major changes we are making to the service: +> > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/). -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: +> > - Get a CI policy > - Sign a CI policy -> - Sign a catalog +> - Sign a catalog > - Download root cert -> - Download history of your signing operations +> - Download history of your signing operations > -> For any questions, please contact us at DGSSMigration@microsoft.com. - +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** -- Windows 10 +- Windows 10 When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. -## In this section -- [Create a code integrity policy based on a reference device](#create-ci-policy) -- [Create catalog files for your unsigned app](#create-catalog-files) -- [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal) +## Create a code integrity policy based on a reference device -## Create a code integrity policy based on a reference device To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](/windows/device-security/device-guard/device-guard-deployment-guide). -## Create catalog files for your unsigned app +## Create catalog files for your unsigned app + Creating catalog files starts the process for adding an unsigned app to a code integrity policy. Before you get started, be sure to review these best practices and requirements: -**Requirements** +### Requirements - You'll use Package Inspector during this process. - Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy. -**Best practices** +### Best practices - **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). -- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. +- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-a-code-integrity-policy-based-on-a-reference-device) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. -**To create catalog files for your unsigned app** +### To create catalog files for your unsigned app -1. Start Package Inspector to scan the C drive. +1. Start Package Inspector to scan the C drive. `PackageInspector.exe Start C:` -2. Copy the installation media to the C drive. +2. Copy the installation media to the C drive. Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed. -3. Install and start the app. +3. Install and start the app. All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries. -4. Stop the scan and create definition and catalog files. +4. Stop the scan and create definition and catalog files. After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop. @@ -99,17 +97,17 @@ The Package Inspector scan catalogs the hash values for each binary file that is After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy. -## Catalog signing with Device Guard signing portal +## Catalog signing with Device Guard signing portal To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. Catalog signing is a vital step to adding your unsigned apps to your code integrity policy. -**To sign a catalog file with Device Guard signing portal** +### To sign a catalog file with Device Guard signing portal 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). 2. Click **Settings**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files). +3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files-for-your-unsigned-app). 4. After the files are uploaded, click **Sign** to sign the catalog files. 5. Click Download to download each item: - signed catalog file diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 3eb99b3802..c3dd51ee67 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index 4e4499a673..c721a02787 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education has thousands of apps from many different categories. @@ -55,14 +55,14 @@ Line-of-business (LOB) apps are also supported using Microsoft Store. Admins can Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Microsoft Store and distributed to employees. -If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization’s inventory. +If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization's inventory. ## Licensing model: online and offline licenses Microsoft Store supports two options to license apps: online and offline. ### Online licensing -Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update. +Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update. Distribution options for online-licensed apps include the ability to: diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index a718684e7e..b17921f3b5 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization. diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md index add114e633..64489e2d0d 100644 --- a/store-for-business/billing-payments-overview.md +++ b/store-for-business/billing-payments-overview.md @@ -18,7 +18,7 @@ manager: dansimp # Billing and payments > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Access invoices and managed your payment methods. diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md index 284e5f8a87..866fc5fa17 100644 --- a/store-for-business/billing-profile.md +++ b/store-for-business/billing-profile.md @@ -18,7 +18,7 @@ manager: dansimp # Understand billing profiles > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index 725ba3bd9f..70f8c3d15d 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -17,15 +17,15 @@ manager: dansimp # Understand your Microsoft Customer Agreement invoice > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). -The invoice provides a summary of your charges and provides instructions for payment. It’s available for +The invoice provides a summary of your charges and provides instructions for payment. It's available for download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements). ## General invoice information Invoices are your bill from Microsoft. A few things to note: -- **Invoice schedule** - You’re invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**. +- **Invoice schedule** - You're invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**. - **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md) - **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace. - **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill. diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 0249a8b606..151722f51a 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index dbccbf3bae..4c49b31308 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. @@ -30,7 +30,7 @@ ms.date: 07/21/2021 > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index c0ccce55a6..343c57ed38 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index 723648db24..de94448f75 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store. diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 38c26e9d99..0e41f26d57 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. @@ -46,7 +46,7 @@ MDM tool requirements: ## Distribute offline-licensed apps -If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](./apps-in-microsoft-store-for-business.md#licensing-model). +If your vendor doesn't support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](./apps-in-microsoft-store-for-business.md#licensing-model). This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices. diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 5ee0219d23..e431ad264f 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -23,8 +23,8 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). - +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. ## Why offline-licensed apps? diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index 9a624bd3c0..1ae93064e6 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. diff --git a/store-for-business/index.md b/store-for-business/index.md index 83186f8f8b..03852f5eee 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -21,12 +21,12 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school. > [!IMPORTANT] -> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you’ve already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won’t be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of “free” will still be available. This change doesn’t impact apps in the Microsoft Store on Windows 10. +> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won't be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of "free" will still be available. This change doesn't impact apps in the Microsoft Store on Windows 10. > > Also starting April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education. diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 35b33daedd..9983264ab6 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index bc995342eb..04e2434086 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 14825fb5b5..4988dab4d4 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -17,7 +17,7 @@ manager: dansimp # Manage app orders in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index c6c6e4564c..87d79fbe9d 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -22,7 +22,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index f271481d73..12534f788b 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index 5253b14c06..a57e52bfd5 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups. diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index fd4d4e8c20..f599c5cc61 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -20,7 +20,7 @@ manager: dansimp - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459). @@ -129,7 +129,7 @@ Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user ``` ## Assign or reclaim a product with a .csv file -You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. +You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for "Principal Names" (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. **To assign or reclaim seats in bulk:** diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index a3cab33039..06da85f98c 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -19,10 +19,10 @@ ms.date: 07/21/2021 **Applies to** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). @@ -42,7 +42,7 @@ Organizations or schools of any size can benefit from using Microsoft Store for - **Microsoft Store for Education** – Apps acquired from Microsoft Store for Education - **Office 365** – Subscriptions - **Volume licensing** - Apps purchased with volume licensing -- **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices. +- **Private store** - Create a private store for your business that's easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices. - **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices: - Distribute through Microsoft Store services. You can assign apps to individual employees, or make apps available to all employees in your private store. - Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images. @@ -68,7 +68,7 @@ Microsoft Azure Active Directory (AD) accounts for your employees: - Employees need Azure AD account when they access Store for Business content from Windows devices. - If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account - For offline-licensed apps, Azure AD accounts are not required for employees. -- Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. +- Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don't have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611). @@ -83,7 +83,7 @@ While not required, you can use a management tool to distribute and manage apps. ## Sign up! -The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization. +The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we'll quickly create an account for you. You must be a Global Administrator for your organization. ## Set up @@ -101,7 +101,7 @@ After your admin signs up for the Store for Business and Education, they can ass In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md). -Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with Store for Business and Education. +Also, if your organization plans to use a management tool, you'll need to configure your management tool to sync with Store for Business and Education. ## Get apps and content @@ -128,7 +128,7 @@ App distribution is handled through two channels, either through the Microsoft S **Distribute with Store for Business and Education**: - Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app. -- Curate private store for all employees – A private store can include content you’ve purchased from Microsoft Store for Business, and your line-of-business apps that you’ve submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed. +- Curate private store for all employees – A private store can include content you've purchased from Microsoft Store for Business, and your line-of-business apps that you've submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed. - To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps. **Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options: diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index dd8d1a7d29..916cb00349 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -24,7 +24,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. @@ -32,9 +32,9 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti | Store area | Notification message | Customer impact | | ---------- | -------------------- | --------------- | -| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. | -| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | -| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. | -| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | -| Acquisition and licensing | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | People in your org might not be able to claim a license from your private store. | -| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You might not be able to search for a partner. | +| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. | +| Manage | We're on it. Something happened on our end with management for apps and software. We're working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | +| Shop | We're on it. Something happened on our end with purchasing. We're working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. | +| Private store | We're on it. Something happened on our end with your organization's private store. People in your organization can't download apps right now. We're working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | +| Acquisition and licensing | We're on it. People in your org might not be able to install or use certain apps. We're working to fix the problem. | People in your org might not be able to claim a license from your private store. | +| Partner | We're on it. Something happened on our end with Find a Partner. We're working to fix the problem. | You might not be able to search for a partner. | diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md index 43f09a403e..1ccc6c81fd 100644 --- a/store-for-business/payment-methods.md +++ b/store-for-business/payment-methods.md @@ -18,7 +18,7 @@ manager: dansimp # Payment methods > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards: - VISA @@ -54,4 +54,4 @@ Once you select **Add**, the information you provided will be validated with a t Once you click **Update**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. > [!NOTE] -> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. +> Certain actions, like updating or adding a payment option, require temporary "test authorization" transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 2b8ea7784d..99e6061d97 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index a4f1f93a78..4ced84898d 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -16,7 +16,7 @@ manager: dansimp # Microsoft Store for Business and Education release history > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. @@ -39,13 +39,13 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. ## April 2018 -- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. +- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We'll figure out who's in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we'll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. - **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. - **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. ## March 2018 - **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](./manage-private-store-settings.md#private-store-performance) -- **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. +- **Private store collection updates** - We've made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](./manage-private-store-settings.md#private-store-collections) - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. - **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription. diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index d04d9e5277..83baa7d2d3 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index 442ff303d1..3bbc577f09 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -18,7 +18,7 @@ ms.date: 07/21/2021 # Settings reference: Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index d7f05fb986..5de355b03c 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,7 +18,7 @@ ms.date: 07/21/2021 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] @@ -27,7 +27,7 @@ ms.date: 07/21/2021 > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index c51e8f7899..5303f4a421 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps. diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index febe7110b0..48cfe3c2fc 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Troubleshooting topics for Microsoft Store for Business. diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index edc1a362da..55f5f4fc07 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -18,7 +18,7 @@ manager: dansimp # Update Billing account settings > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). A billing account contains defining information about your organization. @@ -35,9 +35,9 @@ We need your business address, email contact, and tax-exemption certificates tha Before purchasing apps that have a fee, you need to add or update your organization's business address, contact email address, and contact name. -We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. +We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we'll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don't have an address, we'll ask you to enter it during your first purchase. -We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store. +We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Azure AD tenant that is used with Microsoft Store. **To update billing account information** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) @@ -100,7 +100,7 @@ If you qualify for tax-exempt status in your market, start a service request to 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com). 2. Select **Manage**, click **Support**, and then under **Store settings & configuration** select **Create technical support ticket**. -You’ll need this documentation: +You'll need this documentation: |Country or locale | Documentation | |------------------|----------------| diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 4b0cd1e47d..31965af7f3 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -16,7 +16,7 @@ manager: dansimp # What's new in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. @@ -35,7 +35,7 @@ Microsoft Store for Business and Education regularly releases new and improved f +#### Windows Server -**.NET NGEN Blog (Highly Recommended)** +Server performance tuning guidelines for [Microsoft Windows Server 2012 R2](/previous-versions/dn529133(v=vs.85)) -- [How to speed up NGEN optimization](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) +#### Server roles -**Windows Server and Server Roles** +- [Remote Desktop Virtualization Host](/previous-versions/dn567643(v=vs.85)) -Server Performance Tuning Guidelines for +- [Remote Desktop Session Host](/previous-versions/dn567648(v=vs.85)) -- [Microsoft Windows Server 2012 R2](/previous-versions//dn529133(v=vs.85)) - -- [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx) - -- [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx) - -**Server Roles** - -- [Remote Desktop Virtualization Host](/previous-versions//dn567643(v=vs.85)) - -- [Remote Desktop Session Host](/previous-versions//dn567648(v=vs.85)) - -- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions//dn567678(v=vs.85)) +- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions/dn567678(v=vs.85)) - [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134210(v=ws.11)) -**Windows Client (Guest OS) Performance Tuning Guidance** +#### Windows Client (guest OS) performance tuning guidance -- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density) - -- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf) +- [The Microsoft Premier Field Engineer (PFE) view on Virtual Desktop (VDI) Density](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density) - [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe) @@ -404,7 +387,7 @@ Removing FB1 doesn't require the original application installer. After completin ### Creating a new virtual application package on the sequencer -If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application’s installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly. +If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application's installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly. **Client Side**: diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index ba0a92dcf7..0c38b376be 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,11 +1,11 @@ --- title: Learn about the different app types in Windows 10/11 | Microsoft Docs -ms.reviewer: -manager: dougeby description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz +ms.reviewer: ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 88a99ecd24..1f3a0d4e61 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif" ], "exclude": [ diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index d85b5ea89f..60cb9c5b79 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,13 +1,13 @@ --- -author: aczechowski title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -ms.author: aaroncz +ms.prod: w10 +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 10/03/2017 ms.reviewer: -manager: dougeby ms.topic: article -ms.prod: w10 --- # Remove background task resource restrictions @@ -43,7 +43,7 @@ Starting with Windows 10, version 1703, enterprises can control background activ `./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps`  `./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps` -These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies. +These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. For more information about these policies, visit [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground). An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:     diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 17dace9c69..87c9ec2b04 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -1,9 +1,9 @@ --- -author: aczechowski -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/20/2021 ms.reviewer: -manager: dougeby ms.prod: w10 ms.topic: include --- diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 7cb153ddb7..b26f9904a6 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -1,9 +1,9 @@ --- -author: aczechowski -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/28/2021 ms.reviewer: -manager: dougeby ms.prod: w10 ms.topic: include --- diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 8f6b781ec5..e13b0747f4 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -13,9 +13,9 @@ metadata: ms.collection: - windows-10 - highpri - author: aczechowski - ms.author: aaroncz - manager: dougeby + author: nicholasswhite + ms.author: nwhite + manager: aaroncz ms.date: 08/24/2021 #Required; mm/dd/yyyy format. ms.localizationpriority : medium diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md deleted file mode 100644 index 122ffdd4f1..0000000000 --- a/windows/application-management/manage-windows-mixed-reality.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11) -description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. -ms.reviewer: -manager: dougeby -ms.prod: w10 -ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz -ms.topic: article ---- - -# Enable or block Windows Mixed Reality apps in enterprises - -[!INCLUDE [Applies to Windows client versions](./includes/applies-to-windows-client-versions.md)] - - -[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows client needs a new feature, it can request the feature package from Windows Update. - -Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal). - -## Enable Windows Mixed Reality in WSUS - -1. [Check your version of Windows.](https://support.microsoft.com/help/13443/windows-which-operating-system) - - >[!NOTE] - >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. - -2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - - 1. Download the FOD .cab file: - - - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab) - - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) - - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab) - - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab) - - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) - - [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab) - - > [!NOTE] - > You must download the FOD .cab file that matches your operating system version. - - 1. Use `Dism` to add Windows Mixed Reality FOD to the image. - - ```powershell - Dism /Online /Add-Package /PackagePath:(path) - ``` - - > [!NOTE] - > On Windows 10 and 11, you must rename the FOD .CAB file to: **Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab** - - 1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. - - -IT admins can also create [Side by side feature store (shared folder)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127275(v=ws.11)) to allow access to the Windows Mixed Reality FOD. - -## Block the Mixed Reality Portal - -You can use the [AppLocker configuration service provider (CSP)](/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. - -In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. - -```xml - - - - $CmdID$ - - - ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions - - - chr - text/plain - - - - - - - - - - - - - - - - - - > - - - - - - -``` - - -## Related articles - -- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality) diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 4657bd8ea3..7735990889 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -2,11 +2,11 @@ title: Per-user services in Windows 10 and Windows Server description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/14/2017 ms.reviewer: -manager: dougeby --- # Per-user services in Windows 10 and Windows Server @@ -41,7 +41,7 @@ Before you disable any of these services, review the **Description** column in t | 1803 | DevicePickerUserSvc | DevicePicker | Manual | | Device Picker | | 1703 | DevicesFlowUserSvc | DevicesFlow | Manual | | Device Discovery and Connecting | | 1703 | MessagingService | MessagingService | Manual | | Service supporting text messaging and related functionality | -| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | +| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service isn't running. | | 1607 | PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | | 1709 | PrintWorkflowUserSvc | PrintWorkflow | Manual | | Print Workflow | | 1607 | UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | @@ -71,7 +71,7 @@ In light of these restrictions, you can use the following methods to manage per- ### Manage template services using a security template -You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. +You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). For more information, visit [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings). For example: @@ -87,13 +87,13 @@ Revision=1 ### Manage template services using Group Policy preferences -If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences. +If a per-user service can't be disabled using the security template, you can disable it by using Group Policy preferences. -1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. +1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, select **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. 2. Create a new Group Policy Object (GPO) or use an existing GPO. -3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor. +3. Right-click the GPO and select **Edit** to launch the Group Policy Object Editor. 4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry. @@ -101,23 +101,23 @@ If a per-user service can't be disabled using a the security template, you can d ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) -6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. +6. Make sure that HKEY_Local_Machine is selected for Hive and then select ... (the ellipses) next to Key Path. ![Choose HKLM.](media/gpp-hklm.png) -7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. +7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and select **Select**. ![Select Start.](media/gpp-svc-start.png) -8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. +8. Change **Value data** from **00000003** to **00000004** and select **OK**. Note setting the Value data to **4** = **Disabled**. ![Startup Type is Disabled.](media/gpp-svc-disabled.png) -9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. +9. To add the other services that can't be managed with a Group Policy templates, edit the policy and repeat steps 5-8. ### Managing Template Services with reg.exe -If you cannot use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe. +If you can't use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe. To disable the Template Services, change the Startup Type for each service to 4 (disabled). For example: @@ -135,7 +135,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE ### Managing Template Services with regedit.exe -If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): +If you can't use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): ![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) @@ -159,7 +159,7 @@ Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-20 ``` sc.exe configure start= disabled ``` -Note that the space after "=" is intentional. +The space after "=" is intentional. Sample script using the [Set-Service PowerShell cmdlet](/previous-versions/windows/it-pro/windows-powershell-1.0/ee176963(v=technet.10)): @@ -169,7 +169,7 @@ Set-Service -StartupType Disabled ## View per-user services in the Services console (services.msc) -As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the \_LUID format (where LUID is the locally unique identifier). +As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they're displayed using the \_LUID format (where LUID is the locally unique identifier). For example, you might see the following per-user services listed in the Services console: diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 45f7dec8fa..b039ab012b 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -1,11 +1,11 @@ --- title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices. -manager: dougeby -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.reviewer: amanh ms.prod: w11 -author: aczechowski ms.date: 09/15/2021 ms.localizationpriority: medium --- diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index c155a0e790..b61fb4f87e 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -1,11 +1,11 @@ --- title: Get the provisioned apps on Windows client operating system | Microsoft Docs ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 -ms.author: aaroncz -author: aczechowski ms.localizationpriority: medium ms.topic: article --- @@ -17,7 +17,7 @@ ms.topic: article - Windows 10 - Windows 11 -Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. +Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They're per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows PowerShell command to get a list. diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index d05b8db3c7..817364d24a 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -2,17 +2,17 @@ title: How to keep apps removed from Windows 10 from returning during an update description: How to keep provisioned apps that were removed from your machine from returning during an update. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 05/25/2018 ms.reviewer: -manager: dougeby --- # How to keep apps removed from Windows 10 from returning during an update > Applies to: Windows 10 (General Availability Channel) -When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803. +When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue. >[!NOTE] >* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 0e20c16ba3..466370dcd1 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -2,10 +2,10 @@ title: Sideload LOB apps in Windows client OS | Microsoft Docs description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. ms.reviewer: -manager: dougeby -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.prod: w10 -author: aczechowski ms.localizationpriority: medium --- diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 7fe5fa1c05..67476d451f 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -2,11 +2,11 @@ title: Service Host service refactoring in Windows 10 version 1703 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 07/20/2017 ms.reviewer: -manager: dougeby --- # Changes to Service Host grouping in Windows 10 diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 89689b0d06..eef2f72573 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -1,11 +1,11 @@ --- title: Get the system apps on Windows client operating system | Microsoft Docs ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 -ms.author: aaroncz -author: aczechowski ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 76d04a5dd1..5260e5f1db 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -2,9 +2,9 @@ title: Windows Tools/Administrative Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. ms.prod: w10 -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index 8b0e587b74..7a16f17f4d 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -1,15 +1,15 @@ --- title: Windows 10 default media removal policy -description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." +description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal. ms.prod: w10 -author: Teresa-Motiv -ms.author: dougeby +author: vinaypamnani-msft +ms.author: vinpa ms.date: 11/25/2020 ms.topic: article ms.custom: -- CI 111493 -- CI 125140 -- CSSTroubleshooting + - CI 111493 + - CI 125140 + - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium manager: kaushika diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index ea9fe24821..50338f7ae8 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -2,12 +2,12 @@ title: Connect to remote Azure Active Directory-joined PC (Windows) description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: dansimp +ms.author: vinpa ms.date: 01/18/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article ms.collection: highpri --- @@ -83,6 +83,9 @@ The table below lists the supported configurations for remotely connecting to an > [!NOTE] > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). +> [!NOTE] +> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection. + ## Related topics [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 85c108b97e..21740e86df 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif" ], "exclude": [ @@ -41,7 +42,7 @@ "manager": "dansimp", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-client-management", diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index dfb3d72af7..44304f2950 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -2,12 +2,12 @@ title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10) description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/14/2021 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: troubleshooting --- diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/images/quick-assist-get.png new file mode 100644 index 0000000000..fc7ccdd1a4 Binary files /dev/null and b/windows/client-management/images/quick-assist-get.png differ diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 2bb8db6fd8..4dd2469b3f 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -18,7 +18,7 @@ metadata: manager: dougeby ms.date: 03/28/2022 #Required; mm/dd/yyyy format. localization_priority: medium - + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: @@ -34,7 +34,7 @@ landingContent: - text: Create mandatory user profiles url: mandatory-user-profile.md - text: Mobile device management (MDM) - url: mdm/index.md + url: mdm/index.yml - text: MDM for device updates url: mdm/device-update-management.md - text: Mobile device enrollment diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 36da3dfcc9..022820d4e9 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -2,11 +2,11 @@ title: Manage corporate devices description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. ms.reviewer: -manager: dansimp -ms.author: dansimp -keywords: ["MDM", "device management"] +manager: aaroncz +ms.author: vinpa +keywords: [MDM, device management] ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/14/2021 ms.topic: article diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 79544bf12c..7c8c46580d 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -2,11 +2,11 @@ title: Manage Device Installation with Group Policy (Windows 10 and Windows 11) description: Find out how to manage Device Installation Restrictions with Group Policy. ms.prod: w10 -author: aczechowski +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: vinpa ms.topic: article --- diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 4914694065..d78eac22f8 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -2,11 +2,11 @@ title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article --- diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0f27f3d1d1..367392eba4 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -4,10 +4,10 @@ description: This article offers strategies for deploying and managing Windows 1 ms.prod: w10 ms.localizationpriority: medium ms.date: 06/03/2022 -author: aczechowski -ms.author: aaroncz +author: vinaypamnani-msft +ms.author: vinpa ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: overview --- diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 18aaf583be..cbf11a9442 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -2,11 +2,11 @@ title: Create mandatory user profiles (Windows 10 and Windows 11) description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.prod: w10 -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 09/14/2021 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article ms.collection: highpri --- diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 6e1bc0d9c6..d4a2294c65 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -2,12 +2,12 @@ title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: -manager: dansimp -ms.author: v-nsatapathy +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 06/22/2021 --- @@ -18,13 +18,13 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| -The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users. +The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module. 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: @@ -95,4 +95,4 @@ The Language Pack Management CSP allows a direct way to provision languages remo ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index b55a87941f..03a75d8a7a 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -1,14 +1,14 @@ --- title: AccountManagement CSP description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # AccountManagement CSP diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index 51380b7ed8..d425503b6a 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -1,14 +1,14 @@ --- title: AccountManagement DDF file description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # AccountManagement DDF file diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 95689e3b8f..d447311a4e 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,14 +1,14 @@ --- title: Accounts CSP description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Accounts CSP diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index e522821656..b2bffb3a42 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,14 +1,14 @@ --- title: Accounts DDF file description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/17/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Accounts DDF file diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 929b2dc46a..d174729230 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,13 +1,13 @@ --- title: ActiveSync CSP -description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. +description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 216550b80b..323fc038e9 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -2,12 +2,12 @@ title: ActiveSync DDF file description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 85a599abb8..f5f05c6ddb 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -2,12 +2,12 @@ title: Add an Azure AD tenant and Azure AD subscription description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index b8a280a346..e8aab159fb 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -2,12 +2,12 @@ title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index bcb19ed0cd..edc188feac 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -2,12 +2,12 @@ title: AllJoynManagement DDF description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 4502b38c2c..466550a3e5 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -2,12 +2,12 @@ title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 2c91bf430b..62648efd94 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,11 +1,11 @@ --- title: ApplicationControl CSP DDF description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/10/2019 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 970bfa5103..e587cf8a3c 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,11 +1,11 @@ --- title: ApplicationControl CSP description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: jsuther1974 ms.date: 09/10/2020 --- diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7ed2500275..abccc814e8 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -2,12 +2,12 @@ title: AppLocker CSP description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2019 --- diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 38e2c8e7bc..30adaa5b15 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -2,12 +2,12 @@ title: AppLocker DDF file description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index 9eedf4f812..4c9943e332 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -2,12 +2,12 @@ title: AppLocker XSD description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 79bb949ff1..a407704b93 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,14 +1,14 @@ --- title: Deploy and configure App-V apps using MDM description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Deploy and configure App-V apps using MDM diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index d8c68d15e5..7394103149 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -2,12 +2,12 @@ title: Assign seat description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index cf61a9f2c1..c0085b11e0 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -2,12 +2,12 @@ title: AssignedAccess CSP description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/03/2022 --- diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 276a419912..36b3670dac 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -2,12 +2,12 @@ title: AssignedAccess DDF description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/22/2018 --- diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 5430991444..467e007dd7 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -2,12 +2,12 @@ title: Azure Active Directory integration with MDM description: Azure Active Directory is the world largest enterprise cloud identity management service. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.collection: highpri --- diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index ce25592491..e54875a1df 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,14 +1,14 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7af651d2c0..97ff6341d2 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,15 +1,15 @@ --- title: BitLocker CSP description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/04/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- @@ -1348,6 +1348,13 @@ Value type is string. Supported operation is Execute. Request ID is expected as a parameter. +> [!NOTE] +> Key rotation is supported only on these enrollment types. For more information, see [deviceEnrollmentType enum](/graph/api/resources/intune-devices-deviceenrollmenttype). +> - windowsAzureADJoin. +> - windowsBulkAzureDomainJoin. +> - windowsAzureADJoinUsingDeviceAuth. +> - windowsCoManagement. + > [!TIP] > Key rotation feature will only work when: > diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index b40819c5e8..663e7d623f 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,15 +1,15 @@ --- title: BitLocker DDF file description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/30/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # BitLocker DDF file diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 19a2fa944c..a02395dea5 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -2,12 +2,12 @@ title: Bulk assign and reclaim seats from users description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index a6d69bff48..c54261ccfa 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 8e5f9ebac8..6c97d9489d 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -2,12 +2,12 @@ title: CellularSettings CSP description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index f7af4adf18..9ea52d92fc 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 078523d5fb..96a2369975 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phdevicemgmt.certificate\_renewal' - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 423745bbf6..585bfdba94 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -2,12 +2,12 @@ title: CertificateStore CSP description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/28/2020 --- diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index d05b283472..a99edbb1e3 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -2,12 +2,12 @@ title: CertificateStore DDF file description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 5eb147ea0c..a01ff5b853 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -1,10 +1,10 @@ --- title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. -author: aczechowski -ms.author: aaroncz +author: vinaypamnani-msft +ms.author: vinpa ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: article ms.prod: w10 ms.technology: windows @@ -60,7 +60,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| |[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| -|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. ## February 2020 @@ -162,7 +162,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |--- | ---| |[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| |[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| -|[Mobile device management](index.md)|Updated information about MDM Security Baseline.| +|[Mobile device management](index.yml)|Updated information about MDM Security Baseline.| ## December 2018 diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 3c615c5b08..74cd9636c7 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -1,14 +1,14 @@ --- title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # CleanPC CSP diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index d5f5924627..9677737584 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -2,12 +2,12 @@ title: CleanPC DDF description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 8d30b4114c..faff015660 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -2,12 +2,12 @@ title: ClientCertificateInstall CSP description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/30/2021 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index da749c41ae..716eff3eef 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -2,12 +2,12 @@ title: ClientCertificateInstall DDF file description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 2204143dfe..910c3b6c31 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -2,12 +2,12 @@ title: CM\_CellularEntries CSP description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/02/2017 --- diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 94b8c15c30..38d7d17625 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -2,12 +2,12 @@ title: CMPolicy CSP description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index a2858ed680..8515da3881 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -2,12 +2,12 @@ title: CMPolicyEnterprise CSP description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 9714d6d292..47fd1ec39d 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -2,12 +2,12 @@ title: CMPolicyEnterprise DDF file description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index a2167e456e..a9339f8e76 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -1,12 +1,12 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -manager: dansimp -ms.author: v-lsaldanha +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w11 ms.technology: windows -author: lovina-saldanha +author: vinaypamnani-msft ms.date: 05/24/2022 --- diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 6c7adbc949..62eca97eea 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2,12 +2,12 @@ title: Configuration service provider reference description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.collection: highpri --- diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index de2896f574..759f17f26a 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -2,12 +2,12 @@ title: CustomDeviceUI CSP description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 0433c22507..f847a4ba95 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -2,12 +2,12 @@ title: CustomDeviceUI DDF description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 138c6d80c8..e39e9c9e12 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: Data structures for Microsoft Store for Business description: Learn about the various data structures for Microsoft Store for Business. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_data\_structures' -- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_data\_structures' + - 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 6a6904fd19..ca3b7ea096 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -2,12 +2,12 @@ title: Defender CSP description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/22/2022 --- diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 9bf6463258..1a99f5c85b 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -2,12 +2,12 @@ title: Defender DDF file description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/23/2021 --- diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 23a246c454..a1b368c716 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -2,12 +2,12 @@ title: DevDetail CSP description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/27/2020 --- diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index e1d79c9308..957eb5558f 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -2,12 +2,12 @@ title: DevDetail DDF file description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/03/2020 --- diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 244e26d627..592432a187 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -2,12 +2,12 @@ title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2018 --- diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index 4d959b186f..ae96fa64df 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -2,12 +2,12 @@ title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 030e89915c..bd5f317fc2 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -2,12 +2,12 @@ title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/15/2017 ms.collection: highpri --- diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 2ee9b7eb60..29938e34dc 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -2,12 +2,12 @@ title: DeviceLock CSP description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 75ec208587..974d878b01 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -2,12 +2,12 @@ title: DeviceLock DDF file description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 355ebdc632..b650e3c405 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,13 +1,13 @@ --- title: DeviceManageability CSP -description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. +description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index f57ca0aef2..23dd9b8cf6 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -2,12 +2,12 @@ title: DeviceManageability DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index e804c7d30b..c900b41939 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -2,12 +2,12 @@ title: DeviceStatus CSP description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/25/2021 --- diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 5327b89015..9019f6a5b9 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -2,12 +2,12 @@ title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index c8403f3163..fe9309086b 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -2,12 +2,12 @@ title: DevInfo CSP description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 9d99d2d67b..ae70ac7ba1 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -2,12 +2,12 @@ title: DevInfo DDF file description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index ea79a37fdb..b28a49b37e 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -2,19 +2,19 @@ title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/25/2018 ms.collection: highpri --- # Diagnose MDM failures in Windows 10 -To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. +To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. ## Download the MDM Diagnostic Information log from Windows 10 PCs @@ -30,32 +30,34 @@ To help diagnose enrollment or device management issues in Windows 10 devices m 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. -## Use command to collect logs directly from Windows 10 PCs +## Use command to collect logs directly from Windows 10 PCs You can also collect the MDM Diagnostic Information logs using the following command: ```xml -mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -zip c:\users\public\documents\MDMDiagReport.zip +mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip "c:\users\public\documents\MDMDiagReport.zip" ``` -- In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. + +- In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. ### Understanding zip structure + The zip file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub -- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls -- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) -- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. -- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool -- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables -- MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations -- MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command -- *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. +- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls +- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) +- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. +- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool +- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables +- MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations +- MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command +- *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. -## Collect logs directly from Windows 10 PCs +## Collect logs directly from Windows 10 PCs -Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: +Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: -- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider +- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider Here's a screenshot: @@ -63,34 +65,34 @@ Here's a screenshot: In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer. -**To collect Admin logs** +### Collect admin logs -1. Right click on the **Admin** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Right click on the **Admin** node. +2. Select **Save all events as**. +3. Choose a location and enter a filename. +4. Click **Save**. +5. Choose **Display information for these languages** and then select **English**. +6. Click **Ok**. For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. -**To collect Debug logs** +### Collect debug logs -1. Right click on the **Debug** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Right click on the **Debug** node. +2. Select **Save all events as**. +3. Choose a location and enter a filename. +4. Click **Save**. +5. Choose **Display information for these languages** and then select **English**. +6. Click **Ok**. -You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. +You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. -## Collect logs remotely from Windows 10 PCs +## Collect logs remotely from Windows 10 PCs When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: -- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin -- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug +- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin +- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug Example: Enable the Debug channel logging @@ -235,27 +237,27 @@ After the logs are collected on the device, you can retrieve the files through t For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. -1. Open eventvwr.msc. -2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. +1. Open eventvwr.msc. +2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. ![event viewer screenshot.](images/diagnose-mdm-failures9.png) -3. Navigate to the etl file that you got from the device and then open the file. -4. Click **Yes** when prompted to save it to the new log format. +3. Navigate to the etl file that you got from the device and then open the file. +4. Click **Yes** when prompted to save it to the new log format. ![event viewer prompt.](images/diagnose-mdm-failures10.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) -5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. +5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. ![event viewer actions.](images/diagnose-mdm-failures12.png) -6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. +6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. ![event filter for Device Management.](images/diagnose-mdm-failures13.png) -7. Now you're ready to start reviewing the logs. +7. Now you're ready to start reviewing the logs. ![event viewer review logs.](images/diagnose-mdm-failures14.png) @@ -283,5 +285,3 @@ Here's an example of how to collect current MDM device state data using the [Dia ``` - -  diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index cdf8c2917d..119d455dec 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -2,12 +2,12 @@ title: DiagnosticLog CSP description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2019 --- diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 38cf705e56..379b38b3fe 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -2,12 +2,12 @@ title: DiagnosticLog DDF description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index b3582457ad..31fbaa5aa9 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -1,16 +1,16 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: -- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' -- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' +MS-HAID: + - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' + - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 9938c6c5dc..ad9d6ccc76 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -2,12 +2,12 @@ title: DMAcc CSP description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index b967d91e87..4ba6320269 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -2,12 +2,12 @@ title: DMAcc DDF file description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 165584ee19..dbaec53d02 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -2,12 +2,12 @@ title: DMClient CSP description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index ca0753b5bc..2f7ca1fb7e 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -2,12 +2,12 @@ title: DMClient DDF file description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 27091ecd80..471f590bc9 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -3,20 +3,20 @@ title: DMProcessConfigXMLFiltered function description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML. Search.Refinement.TopicID: 184 ms.reviewer: -manager: dansimp -topic_type: -- apiref -api_name: -- DMProcessConfigXMLFiltered -api_location: -- dmprocessxmlfiltered.dll -api_type: -- DllExport -ms.author: dansimp +manager: aaroncz +topic_type: + - apiref +api_name: + - DMProcessConfigXMLFiltered +api_location: + - dmprocessxmlfiltered.dll +api_type: + - DllExport +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 8a95673243..e9c3080fba 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,14 +1,14 @@ --- title: DMSessionActions CSP description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # DMSessionActions CSP diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 7cebc030ce..fcb5cb106e 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,14 +1,14 @@ --- title: DMSessionActions DDF file description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # DMSessionActions DDF file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index ce38bf29cd..3e4e54c181 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,14 +1,14 @@ --- title: DynamicManagement CSP description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 0bb1c75f3e..0e2a6dd191 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -2,12 +2,12 @@ title: DynamicManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 6eff7f2a44..1298e152d0 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -2,12 +2,12 @@ title: EAP configuration description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 2c03c1146b..a88665101f 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -2,12 +2,12 @@ title: EMAIL2 CSP description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 7e3c271fc3..ec7d604849 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -2,12 +2,12 @@ title: EMAIL2 DDF file description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 7a4821350c..a8fdcc53b2 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,15 +1,15 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/01/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Enable ADMX policies in MDM diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 8076b0a504..b7a2a1544c 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,14 +1,14 @@ --- title: Enroll a Windows 10 device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index 75870e43e0..40b17f8970 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,11 +1,11 @@ --- title: EnrollmentStatusTracking DDF description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/17/2019 --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index d345f06255..3ad33fa688 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,11 +1,11 @@ --- title: EnrollmentStatusTracking CSP description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/21/2019 --- diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index c64c2d9ba3..d2dc640f22 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -2,12 +2,12 @@ title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/04/2021 --- diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 1e49e6f694..7988975af6 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -2,12 +2,12 @@ title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 2e81ae80fd..e83aef75e3 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseAPN DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index b2a5361647..23d45c61be 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,14 +1,14 @@ --- title: EnterpriseAppVManagement CSP -description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). -ms.author: dansimp +description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # EnterpriseAppVManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 1c18aff981..0572ef9f96 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,14 +1,14 @@ --- title: EnterpriseAppVManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # EnterpriseAppVManagement DDF file diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 2c237eb14f..bf660969d6 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -3,12 +3,12 @@ title: EnterpriseDataProtection CSP description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/09/2017 --- @@ -27,6 +27,11 @@ The table below shows the applicability of Windows: The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). +> [!NOTE] +> Starting in July 2022, Microsoft is deprecating Windows Information Protection (WIP) and the APIs that support WIP. Microsoft will continue to support WIP on supported versions of Windows. New versions of Windows won't include new capabilities for WIP, and it won't be supported in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-sunset-of-windows-information-protection-wip/ba-p/3579282). +> +> For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Purview simplifies the configuration set-up and provides an advanced set of capabilities. + > [!NOTE] > To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index 68e337c333..f8be987381 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -2,12 +2,12 @@ title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 4b5ab02de2..d06146f5a0 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -3,12 +3,12 @@ title: EnterpriseDesktopAppManagement CSP description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/11/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 0803a2e9ab..dcf0663717 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -2,12 +2,12 @@ title: EnterpriseDesktopAppManagement DDF description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index c570ad096b..4117208a89 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -2,12 +2,12 @@ title: EnterpriseDesktopAppManagement XSD description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 7b616f1543..6aed81068c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement CSP description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2021 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 9e25733411..3a270aad3c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/01/2019 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index dc9995f5ef..95016ab8fc 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement XSD description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 30cebf3d9e..cdc60b2936 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -2,9 +2,9 @@ title: eSIM Enterprise Management description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: dansimp +ms.author: vinpa ms.topic: conceptual --- diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 4a840115e0..8d50139134 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,14 +1,14 @@ --- title: eUICCs CSP description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # eUICCs CSP diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index e6d041a4a2..c17f08e0f3 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -2,12 +2,12 @@ title: eUICCs DDF file description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/02/2018 --- diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 1bbe746b59..d0e4cb46c1 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 022801745a..af9202d9ca 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,13 +1,13 @@ --- title: Firewall CSP description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: -manager: dansimp +manager: aaroncz --- # Firewall configuration service provider (CSP) @@ -97,6 +97,7 @@ Firewall ----------------Protocol ----------------LocalPortRanges ----------------RemotePortRanges +----------------IcmpTypesAndCodes ----------------LocalAddressRanges ----------------RemoteAddressRanges ----------------Description @@ -111,6 +112,13 @@ Firewall ----------------FriendlyName ----------------Status ----------------Name +----------------RemoteAddressDynamicKeywords +--------DynamicKeywords +----------------Addresses +-------------------------Id +---------------------------------Keyword +---------------------------------Addresses +---------------------------------AutoResolve ``` **./Vendor/MSFT/Firewall** @@ -340,11 +348,18 @@ Comma separated list of ranges, For example, 100-120,200,300-320. If not specified, the default is All. Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** +ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. + **FirewallRules/*FirewallRuleName*/LocalAddressRanges** Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: - "*" indicates any local address. If present, the local address must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv4 address. - A valid IPv6 address. - An IPv4 address range in the format of "start address - end address" with no spaces included. - An IPv6 address range in the format of "start address - end address" with no spaces included. @@ -365,7 +380,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru - "Internet" - "Ply2Renders" - "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive. -- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv4 address. - A valid IPv6 address. - An IPv4 address range in the format of "start address - end address" with no spaces included. - An IPv6 address range in the format of "start address - end address" with no spaces included. @@ -438,6 +454,44 @@ Value type is string. Supported operation is Get. Name of the rule. Value type is string. Supported operations are Add, Get, Replace, and Delete. +**FirewallRules/_FirewallRuleName_/RemoteAddressDynamicKeywords** +Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + +**MdmStore/DynamicKeywords** +Interior node. +Supported operation is Get. + +**MdmStore/DynamicKeywords/Addresses** +Interior node. +Supported operation is Get. + +**MdmStore/DynamicKeywords/Addresses/Id** +A unique GUID string identifier for this dynamic keyword address. +Value type is string. Supported operations are Add, Delete, and Get. + +**MdmStore/DynamicKeywords/Addresses/Id/Keyword** +A String representing a keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain Name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). +Value type is string. Supported operations are Add, Delete, and Get. + +**MdmStore/DynamicKeywords/Addresses/Id/Addresses** +Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true. + +Valid tokens include: +- A subnet specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv4 address. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. +Supported operations are Add, Delete, Replace, and Get. + +**MdmStore/DynamicKeywords/Addresses/Id/AutoResolve** +Boolean value. If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a Fully Qualified Domain Name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present. +Value type is string. Supported operations are Add, Delete, and Get. +Value type is string. Supported operations are Add, Delete, and Get. + + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index fa54a62a29..50b8729198 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,14 +1,14 @@ --- title: Firewall DDF file description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Firewall CSP diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index c4613e5251..2aa1418ebf 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -1,16 +1,16 @@ --- title: Get Inventory description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. -MS-HAID: -- 'p\_phdevicemgmt.get\_seatblock' -- 'p\_phDeviceMgmt.get\_inventory' +MS-HAID: + - 'p\_phdevicemgmt.get\_seatblock' + - 'p\_phDeviceMgmt.get\_inventory' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index 1b91dfb6f8..373bebf5d7 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -2,12 +2,12 @@ title: Get localized product details description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/07/2020 --- diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 24ff7dd8f5..8960d7a7eb 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -2,12 +2,12 @@ title: Get offline license description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index 2b5f901e1d..14b0e24af9 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -2,12 +2,12 @@ title: Get product details description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index aaeb5a3b5e..2fa11f65b3 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -2,12 +2,12 @@ title: Get product package description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 3eb39cbd7c..4312842783 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -2,12 +2,12 @@ title: Get product packages description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index d0aec2af0b..66b6b7340f 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -2,12 +2,12 @@ title: Get seat description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index a657aa4026..27a30678ae 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -2,12 +2,12 @@ title: Get seats assigned to a user description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 2dc6f0a475..333d467ee8 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -2,12 +2,12 @@ title: Get seats description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4eb0e57c7d..9c85e6205e 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -2,12 +2,12 @@ title: Device HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: --- diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 65cf48aeb7..1d1e14d1ab 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -2,12 +2,12 @@ title: HealthAttestation DDF description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index e17aa75f60..9d71b7234b 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,77 +1,77 @@ --- -title: Implement server-side support for mobile application management on Windows +title: Support for mobile application management on Windows description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp -ms.date: 06/26/2017 +author: vinaypamnani-msft +ms.date: 08/03/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- -# Implement server-side support for mobile application management on Windows +# Support for mobile application management on Windows The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. ## Integration with Azure AD -MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  +MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. -Regular non-admin users can enroll to MAM.  +Regular non-admin users can enroll to MAM.  -## Integration with Windows Information Protection +## Integration with Windows Information Protection -MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  -To make applications WIP-aware, app developers need to include the following data in the app resource file. +To make applications WIP-aware, app developers need to include the following data in the app resource file. ``` syntax -// Mark this binary as Allowed for WIP (EDP) purpose  - MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID - BEGIN - 0x0001 - END  +// Mark this binary as Allowed for WIP (EDP) purpose  + MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID + BEGIN + 0x0001 + END  ``` ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: -MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. +MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. > [!NOTE] -> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  +> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  ## MAM enrollment -MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  +MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  -Below are protocol changes for MAM enrollment:  -- MDM discovery isn't supported. +Below are protocol changes for MAM enrollment:  +- MDM discovery isn't supported. - APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional. -- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. +- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. -Here's an example provisioning XML for MAM enrollment. +Here's an example provisioning XML for MAM enrollment. ```xml - - - - - - - - - + + + + + + + + + ``` Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours. @@ -93,14 +93,14 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs. - [RootCaTrustedCertificates CSP](rootcacertificates-csp.md). - [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. -- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. +- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. ## Device lock policies and EAS -MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. +MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. -We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: +We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: - When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies, and reports compliance with EAS. - If the device is found to be compliant, EAS will report compliance with the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance doesn't require device admin rights. diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml new file mode 100644 index 0000000000..93540583f5 --- /dev/null +++ b/windows/client-management/mdm/index.yml @@ -0,0 +1,79 @@ +### YamlMime:Landing + +title: Mobile Device Management # < 60 chars +summary: Find out how to enroll Windows devices and manage company security policies and business applications. # < 160 chars + +metadata: + title: Mobile Device Management # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find out how to enroll Windows devices and manage company security policies and business applications. # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required + services: windows-10 + ms.prod: windows + ms.collection: + - windows-10 + - highpri + ms.custom: intro-hub-or-landing + author: vinaypamnani-msft + ms.author: vinpa + manager: aaroncz + ms.date: 08/04/2022 + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: + # Cards and links should be based on top customer tasks or top subjects + # Start card title with a verb + # Card (optional) + - title: Device enrollment + linkLists: + - linkListType: overview + links: + - text: Mobile device enrollment + url: mobile-device-enrollment.md + - linkListType: concept + links: + - text: Enroll Windows devices + url: mdm-enrollment-of-windows-devices.md + - text: Automatic enrollment using Azure AD + url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - text: Automatic enrollment using Group Policy + url: enroll-a-windows-10-device-automatically-using-group-policy.md + - text: Bulk enrollment + url: bulk-enrollment-using-windows-provisioning-tool.md + + # Card (optional) + - title: Device management + linkLists: + - linkListType: overview + links: + - text: Enterprise settings, policies, and app management + url: windows-mdm-enterprise-settings.md + - linkListType: concept + links: + - text: Enterprise app management + url: enterprise-app-management.md + - text: Device updates management + url: device-update-management.md + - text: Secured-core PC configuration lock + url: config-lock.md + - text: Diagnose MDM failures + url: diagnose-mdm-failures-in-windows-10.md + + # Card (optional) + - title: CSP reference + linkLists: + - linkListType: overview + links: + - text: Configuration service provider reference + url: configuration-service-provider-reference.md + - linkListType: reference + links: + - text: Policy CSP + url: policy-configuration-service-provider.md + - text: Policy CSP - Update + url: policy-csp-update.md + - text: DynamicManagement CSP + url: dynamicmanagement-csp.md + - text: BitLocker CSP + url: bitlocker-csp.md diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index c472c83092..e67b40bb24 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: Management tool for the Microsoft Store for Business description: The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' -- 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' + - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2017 --- diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index ddd397d1dc..d8748f2ee6 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -1,16 +1,16 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: -- 'p\_phdevicemgmt.enrollment\_ui' -- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +MS-HAID: + - 'p\_phdevicemgmt.enrollment\_ui' + - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.collection: highpri --- diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/mdm-overview.md similarity index 95% rename from windows/client-management/mdm/index.md rename to windows/client-management/mdm/mdm-overview.md index 5bd11c744d..d0e376cd1f 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/mdm-overview.md @@ -1,19 +1,18 @@ --- -title: Mobile device management +title: Mobile Device Management overview description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -MS-HAID: -- 'p\_phDeviceMgmt.provisioning\_and\_device\_management' -- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' -ms.topic: overview -ms.prod: w10 +ms.date: 08/04/2022 ms.technology: windows -author: aczechowski -ms.author: aaroncz +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.collection: highpri -ms.date: 06/03/2022 --- -# Mobile device management +# Mobile Device Management overview Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. @@ -43,7 +42,6 @@ For more information about the MDM policies defined in the MDM security baseline - [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip) - [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip) - [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) - - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index b02ed00f8b..b161e96c13 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -2,12 +2,12 @@ title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/11/2017 ms.collection: highpri --- diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index 3a2861bbf1..0042735b48 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -1,14 +1,14 @@ --- title: MultiSIM CSP description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/22/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # MultiSIM CSP diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index 18b9586283..662c3e0384 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -1,14 +1,14 @@ --- title: MultiSIM DDF file description: XML file containing the device description framework for the MultiSIM configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/27/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # MultiSIM DDF diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index f2e5e008b4..2a4d93d58f 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -2,12 +2,12 @@ title: NAP CSP description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index c93d4789ae..ebef8beec0 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -2,12 +2,12 @@ title: NAPDEF CSP description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 47b33480b1..c249a38718 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,14 +1,14 @@ --- title: NetworkProxy CSP description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/29/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkProxy CSP diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 2b5f2798f2..ed25d003b2 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,14 +1,14 @@ --- title: NetworkProxy DDF file description: AppNetworkProxyLocker DDF file -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkProxy DDF file diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 5f455a3e9c..5b5d5d930e 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,14 +1,14 @@ --- title: NetworkQoSPolicy CSP description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkQoSPolicy CSP diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 0ba34a7805..972f823ac5 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -2,12 +2,12 @@ title: NetworkQoSPolicy DDF description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 1c9068aa93..fdfb90c836 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1,16 +1,16 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: -- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' -- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +MS-HAID: + - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' + - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/20/2020 --- diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 09715dd733..dc9bf7a054 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -2,12 +2,12 @@ title: NodeCache CSP description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index e62ba59a21..8fb7117803 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -2,12 +2,12 @@ title: NodeCache DDF file description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index e3ee2537c2..5fc7af65c0 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -1,14 +1,14 @@ --- title: Office CSP description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Office CSP diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 05bf3efc0f..94b6fecffe 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -2,12 +2,12 @@ title: Office DDF description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 --- diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 0a6a1332c0..add5219c9e 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -2,12 +2,12 @@ title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4d789fb346..129f2a8aae 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 5c2ab3a0c1..d45249dffe 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -2,12 +2,12 @@ title: PassportForWork CSP description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2019 --- diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 0b43dbee05..5bdaf460f7 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -2,12 +2,12 @@ title: PassportForWork DDF description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/29/2019 --- diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 2a21d44f28..465ac4ecd9 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,14 +1,14 @@ --- title: Personalization CSP description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Personalization CSP diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index bc7605048f..80cdb39b9b 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,14 +1,14 @@ --- title: Personalization DDF file -description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). -ms.author: dansimp +description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Personalization DDF file diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 96ba99c053..e06e70792f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -2,12 +2,12 @@ title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/08/2020 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index fe99b88a1c..55f6a99ca0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 58fffbd813..f70f86e654 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index 7d67b45cd3..102a2eb6bc 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 61da8064e2..8687773b6b 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -2,14 +2,14 @@ title: Policies in Policy CSP supported by HoloLens 2 description: Learn about the policies in Policy CSP supported by HoloLens 2. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 06/06/2022 +ms.date: 08/01/2022 --- # Policies in Policy CSP supported by HoloLens 2 @@ -52,12 +52,20 @@ ms.date: 06/06/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) Insider +- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) +- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) Insider +- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) Insider - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 +- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 +- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) Insider +- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) Insider +- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) Insider - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 @@ -67,6 +75,7 @@ ms.date: 06/06/2022 - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) @@ -96,6 +105,11 @@ ms.date: 06/06/2022 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) Insider +- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) Insider +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) Insider +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) Insider +- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) Insider - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) @@ -140,6 +154,7 @@ Footnotes: - 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2) - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) +- Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index 0c5f378ed9..710a6bea37 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Windows 10 IoT Core description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/16/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 5ab411d317..128bb7099b 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Microsoft Surface Hub description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/22/2020 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index 4f12cf7aec..0529c08779 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS) description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 023ece8e40..3b79fcf245 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2,12 +2,12 @@ title: Policy CSP description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 ms.collection: highpri diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index e984f6f104..da3b56f932 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AboveLock -description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. -ms.author: dansimp +description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AboveLock diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e261b05c4e..9320bce051 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Accounts -description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. -ms.author: dansimp +description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Accounts diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index d96b12b249..572eef454e 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ActiveXControls description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ActiveXControls diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 2a3088be3f..05cbc1fcee 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ActiveXInstallService description: Learn about the Policy CSP - ADMX_ActiveXInstallService. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ActiveXInstallService diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 19c86af9d2..cf5b1966c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AddRemovePrograms description: Learn about the Policy CSP - ADMX_AddRemovePrograms. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AddRemovePrograms diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index b7c83023fa..5dd95ce744 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AdmPwd description: Learn about the Policy CSP - ADMX_AdmPwd. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AdmPwd diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 09e0448165..ecdf4b38bf 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppCompat description: Policy CSP - ADMX_AppCompat -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppCompat diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index bfa6e0e368..3e30dc883a 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppxPackageManager description: Learn about the Policy CSP - ADMX_AppxPackageManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppxPackageManager diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index f9d07fe835..786dc5626b 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppXRuntime description: Learn about the Policy CSP - ADMX_AppXRuntime. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppXRuntime diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 991162ca51..0b7733a5a2 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AttachmentManager description: Learn about the Policy CSP - ADMX_AttachmentManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AttachmentManager diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 4ae15d3c3b..d3fbdfca47 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AuditSettings description: Learn about the Policy CSP - ADMX_AuditSettings. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AuditSettings. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index ab01ed785d..52c73b763f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Bits description: Learn about the Policy CSP - ADMX_Bits. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Bits diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index a0033b3741..86f2b2d508 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CipherSuiteOrder description: Learn about the Policy CSP - ADMX_CipherSuiteOrder. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CipherSuiteOrder diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index d24c27f120..8426131fb5 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_COM description: Learn about the Policy CSP - ADMX_COM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_COM diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index c38abdd5cc..55e7b8a33f 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ControlPanel description: Learn about the Policy CSP - ADMX_ControlPanel. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/05/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ControlPanel diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 8a4ec1282c..637df89faf 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ControlPanelDisplay description: Learn about the Policy CSP - ADMX_ControlPanelDisplay. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/05/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ControlPanelDisplay diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 0191a8c79c..b7c40099e2 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Cpls description: Learn about the Policy CSP - ADMX_Cpls. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Cpls diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 2787753ef1..b72ed7c028 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredentialProviders description: Learn about the Policy CSP - ADMX_CredentialProviders. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredentialProviders diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index fb24354248..fb4a63852b 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredSsp description: Learn about the Policy CSP - ADMX_CredSsp. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredSsp diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 133b87350c..68623bfc04 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredUI description: Learn about the Policy CSP - ADMX_CredUI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredUI diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 22bb0e2b9c..0d6a23d272 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CtrlAltDel description: Learn about the Policy CSP - ADMX_CtrlAltDel. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CtrlAltDel diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 9f7525d028..18b990f41a 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DataCollection description: Learn about the Policy CSP - ADMX_DataCollection. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DataCollection diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 4e3e20eb48..f826ec41b1 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DCOM description: Learn about the Policy CSP - ADMX_DCOM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DCOM diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 5017634eeb..c18835be26 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Desktop description: Learn about Policy CSP - ADMX_Desktop. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Desktop diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index c1ac73f776..b2ca71c22d 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceCompat description: Learn about Policy CSP - ADMX_DeviceCompat. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 08/09/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceCompat diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 4a673e49f0..d39a25209b 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,19 +1,22 @@ --- title: Policy CSP - ADMX_DeviceGuard description: Learn about Policy CSP - ADMX_DeviceGuard. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceGuard +> [!WARNING] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > @@ -93,4 +96,4 @@ ADMX Info: ## Related topics -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index bbc9785c1b..1da8e03482 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceInstallation description: Learn about Policy CSP - ADMX_DeviceInstallation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceInstallation diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index d3b545c45a..d4559a5746 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceSetup description: Learn about Policy CSP - ADMX_DeviceSetup. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceSetup diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index 029c5a1884..3a36dd326e 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DFS description: Learn about Policy CSP - ADMX_DFS. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DFS diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 0b11ba27af..4cb25e95d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DigitalLocker description: Learn about Policy CSP - ADMX_DigitalLocker. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/31/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DigitalLocker diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 206c700ce3..9262266a8d 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskDiagnostic description: Learn about Policy CSP - ADMX_DiskDiagnostic. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskDiagnostic diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index e3d2d46297..92b5a4725e 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskNVCache description: Learn about Policy CSP - ADMX_DiskNVCache. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskNVCache diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index ac4604b2d6..bc75db6e4a 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskQuota description: Learn about Policy CSP - ADMX_DiskQuota. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskQuota diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 098addf8db..7efbc6544a 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DistributedLinkTracking description: Learn about Policy CSP - ADMX_DistributedLinkTracking. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DistributedLinkTracking diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 080d80ae3d..8af9f82bc0 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DnsClient description: Learn about Policy CSP - ADMX_DnsClient. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DnsClient diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index a3118e564b..920a8c9d98 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DWM description: Learn about Policy CSP - ADMX_DWM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/31/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DWM diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 6b81a966e1..c08bae6677 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EAIME description: Learn about the Policy CSP - ADMX_EAIME. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EAIME diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 2ef08d8dea..21c1fdf20f 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EncryptFilesonMove description: Learn about the Policy CSP - ADMX_EncryptFilesonMove. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EncryptFilesonMove diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 7a97834588..01470abcbe 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EnhancedStorage description: Learn about the Policy CSP - ADMX_EnhancedStorage. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EnhancedStorage diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 52dececdfe..75e7132a34 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ErrorReporting description: Learn about the Policy CSP - ADMX_ErrorReporting. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ErrorReporting diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 0eeeb1a2e2..627492ca73 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventForwarding description: Learn about the Policy CSP - ADMX_EventForwarding. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventForwarding diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 8e16b2c305..471b6a5631 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventLog description: Learn about the Policy CSP - ADMX_EventLog. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventLog diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index 62d1bc8a55..03921b2021 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventLogging description: Learn about the Policy CSP - ADMX_EventLogging. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/12/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventLogging diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index e04745a40b..a3979738bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventViewer description: Learn about the Policy CSP - ADMX_EventViewer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventViewer diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index 36e0b39de2..c3be668f23 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Explorer description: Learn about the Policy CSP - ADMX_Explorer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Explorer diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 93b3bee4e0..7d85473280 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ExternalBoot description: Learn about the Policy CSP - ADMX_ExternalBoot. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ExternalBoot diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index b5239ba4b3..e81f6e1043 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileRecovery description: Learn about the Policy CSP - ADMX_FileRecovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/24/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileRecovery diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index dedad2fa09..6cf18b696b 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileRevocation description: Learn about the Policy CSP - ADMX_FileRevocation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileRevocation diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 71897ec183..5f9d1741bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileServerVSSProvider description: Learn about the Policy CSP - ADMX_FileServerVSSProvider. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileServerVSSProvider diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 0e4f4f4725..e5c5587bc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileSys description: Learn about the Policy CSP - ADMX_FileSys. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileSys diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index fc2f29a559..cca8d67c3b 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FolderRedirection description: Learn about the Policy CSP - ADMX_FolderRedirection. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FolderRedirection diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index ba90f4137d..a30e0b8b87 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FramePanes description: Learn about the Policy CSP - ADMX_FramePanes. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FramePanes diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index a87f70ce8d..d571a60d05 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FTHSVC description: Learn about the Policy CSP - ADMX_FTHSVC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/15/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FTHSVC diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 7483d618f1..51540ef8ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Globalization description: Learn about the Policy CSP - ADMX_Globalization. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Globalization diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index 9b8a2007ca..986333d80f 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_GroupPolicy description: Learn about the Policy CSP - ADMX_GroupPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_GroupPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 603e13fa68..ef05d2efca 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Help description: Learn about the Policy CSP - ADMX_Help. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Help diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index d1db72afc5..e013dc38ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_HelpAndSupport description: Learn about the Policy CSP - ADMX_HelpAndSupport. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_HelpAndSupport diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 48356bdf1a..ba8121417b 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_HotSpotAuth description: Learn about the Policy CSP - ADMX_HotSpotAuth. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/15/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_HotSpotAuth diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index c80b5b8007..9e9178ac7a 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ICM description: Learn about the Policy CSP - ADMX_ICM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ICM diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index c68c2b9d10..cdae65ef17 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_IIS description: Learn about the Policy CSP - ADMX_IIS. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_IIS diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index 67786a4e35..e4938d1f67 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_iSCSI description: Learn about the Policy CSP - ADMX_iSCSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_iSCSI diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 5ea252a9f3..ec99d97b12 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_kdc description: Learn about the Policy CSP - ADMX_kdc. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_kdc diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index a70fa508b8..3cbff4ed32 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Kerberos description: Learn about the Policy CSP - ADMX_Kerberos. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Kerberos diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 4baef48f3a..3fe3659069 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LanmanServer description: Learn about the Policy CSP - ADMX_LanmanServer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LanmanServer diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 1459422b9a..969840fdeb 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LanmanWorkstation description: Learn about the Policy CSP - ADMX_LanmanWorkstation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LanmanWorkstation diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index abf93f8dcf..2f421ddce0 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LeakDiagnostic description: Learn about the Policy CSP - ADMX_LeakDiagnostic. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LeakDiagnostic diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 8af8087093..ac18bf4c6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LinkLayerTopologyDiscovery description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/04/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LinkLayerTopologyDiscovery diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index 34d7b1561d..6557e565a3 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LocationProviderAdm description: Learn about Policy CSP - ADMX_LocationProviderAdm. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LocationProviderAdm diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 39410f580e..3386f503ec 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Logon description: Learn about Policy CSP - ADMX_Logon. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Logon diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index b600ea3664..88b2c471c4 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MicrosoftDefenderAntivirus description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp -ms.date: 01/03/2022 +author: vinaypamnani-msft +ms.date: 08/19/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MicrosoftDefenderAntivirus @@ -3757,7 +3757,7 @@ ADMX Info: -This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. We don't recommend setting the value to less than 2 days to prevent machines from going out of date. @@ -4797,4 +4797,4 @@ ADMX Info: ## Related topics -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 66f7ee9fa5..1d1d07a118 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MMC description: Learn about Policy CSP - ADMX_MMC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MMC diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index 42d6a7faa7..1dc887ce45 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MMCSnapins description: Learn about Policy CSP - ADMX_MMCSnapins. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MMCSnapins diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index 5beff76d0e..462bfc2801 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MobilePCMobilityCenter description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MobilePCMobilityCenter diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index 382e64f23d..a0b6581b36 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MobilePCPresentationSettings description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MobilePCPresentationSettings diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index e95aac830e..a706344772 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSAPolicy description: Learn about Policy CSP - ADMX_MSAPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSAPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index a3e9d15464..039423c269 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_msched description: Learn about Policy CSP - ADMX_msched. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_msched diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 01e72fdc64..3cf6d8ccbd 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSDT description: Learn about Policy CSP - ADMX_MSDT. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSDT diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index af31120c3c..ee2aa88f20 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSI description: Learn about Policy CSP - ADMX_MSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSI diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 54717a8f50..b1d046c306 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MsiFileRecovery description: Learn about Policy CSP - ADMX_MsiFileRecovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MsiFileRecovery diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 2b520f4ec5..7bfd8617d3 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_nca description: Policy CSP - ADMX_nca -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_nca diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 41bfae8db7..ddb9baa7e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_NCSI description: Learn about Policy CSP - ADMX_NCSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_NCSI diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 517f41ab17..119133aa16 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Netlogon description: Learn about Policy CSP - ADMX_Netlogon. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Netlogon diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 210fdcd3ca..178901d5b6 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_NetworkConnections description: Learn about Policy CSP - ADMX_NetworkConnections. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_NetworkConnections diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 7d60db6150..efc0936d36 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_OfflineFiles description: Learn about Policy CSP - ADMX_OfflineFiles. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_OfflineFiles diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 21b21c87e2..28a333dfcc 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_pca description: Learn about Policy CSP - ADMX_pca. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_pca diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 7218cc97d6..b5e4199768 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PeerToPeerCaching description: Learn about Policy CSP - ADMX_PeerToPeerCaching. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PeerToPeerCaching diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index faf9afb98a..322223fccc 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PenTraining description: Learn about Policy CSP - ADMX_PenTraining. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PenTraining diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 18ce028bb6..7c956fcf64 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PerformanceDiagnostics description: Learn about Policy CSP - ADMX_PerformanceDiagnostics. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PerformanceDiagnostics diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index d77be55b2b..e1e9ee133b 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Power description: Learn about Policy CSP - ADMX_Power. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Power diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index d9933722cc..0818fc3b94 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PowerShellExecutionPolicy description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PowerShellExecutionPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index cb7bb6a236..05320e6fd6 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PreviousVersions description: Policy CSP - ADMX_PreviousVersions -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PreviousVersions diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index fa322d02d0..f107901b56 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Printing description: Learn about Policy CSP - ADMX_Printing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Printing diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 74159d9d3c..3032187dbe 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Printing2 description: Learn about Policy CSP - ADMX_Printing2. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Printing2 diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 681645a684..3758a6ba32 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Programs description: Learn about Policy CSP - ADMX_Programs. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Programs diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index 4e6309ff2a..d5ba645c1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PushToInstall description: Learn about Policy CSP - ADMX_PushToInstall. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PushToInstall diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index dc01eef4a8..bcfa2454cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Radar description: Learn about Policy CSP - ADMX_Radar. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Radar diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index fd6026410b..08a42720fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Reliability description: Policy CSP - ADMX_Reliability -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Reliability diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 5433779640..5d6a8d5676 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RemoteAssistance description: Learn about Policy CSP - ADMX_RemoteAssistance. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RemoteAssistance diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index a823f286cf..f4f47dc890 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RemovableStorage description: Learn about Policy CSP - ADMX_RemovableStorage. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RemovableStorage diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 5215c95259..6f085b0205 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RPC description: Learn about Policy CSP - ADMX_RPC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RPC diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 06fc58ebc7..fec515d046 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Scripts description: Learn about Policy CSP - ADMX_Scripts. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Scripts diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 7d9082639e..354380bdd2 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_sdiageng description: Learn about Policy CSP - ADMX_sdiageng. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_sdiageng diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 1b35263fab..84cea15e19 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_sdiagschd description: Learn about Policy CSP - ADMX_sdiagschd. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_sdiagschd diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index db28229ae8..66efb88c7f 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Securitycenter description: Learn about Policy CSP - ADMX_Securitycenter. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Securitycenter diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 2849e15624..37049367dc 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Sensors description: Learn about Policy CSP - ADMX_Sensors. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Sensors diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index a14eb4488d..2f5de5c9a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ServerManager description: Learn about Policy CSP - ADMX_ServerManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ServerManager diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index e4d18d9a66..07ca3a013c 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Servicing description: Learn about Policy CSP - ADMX_Servicing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Servicing diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index c7355a160c..c68630eec1 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SettingSync description: Learn about Policy CSP - ADMX_SettingSync. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SettingSync diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index c48eab98b9..a018d51a65 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SharedFolders description: Learn about Policy CSP - ADMX_SharedFolders. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SharedFolders diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 9a02cd3b35..77f8afb7f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Sharing description: Learn about Policy CSP - ADMX_Sharing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Sharing diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e226b26906..fa6a4ebe37 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ShellCommandPromptRegEditTools description: Learn about Policy CSP - ADMX_ShellCommandPromptRegEditTools. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ShellCommandPromptRegEditTools diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 6c6fae1e34..8145f4e15f 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Smartcard description: Learn about Policy CSP - ADMX_Smartcard. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Smartcard diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 0767b4c97c..a65f75e734 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Snmp description: Learn about Policy CSP - ADMX_Snmp. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/24/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Snmp diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index 77dcf00f34..dcc94a5737 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SoundRec description: Learn about Policy CSP - ADMX_SoundRec. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SoundRec diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index 125aec535d..b5f0f4d1cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_srmfci description: Learn about Policy CSP - ADMX_srmfci. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_srmfci diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 78b189b308..8c6e907ba3 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_StartMenu description: Learn about Policy CSP - ADMX_StartMenu. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_StartMenu diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 3349d83359..4ca5a3d3a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SystemRestore description: Learn about Policy CSP - ADMX_SystemRestore. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SystemRestore diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 2517de0c90..cfc57b2098 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TabletShell description: Learn about Policy CSP - ADMX_TabletShell. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TabletShell diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 259cfc544c..3436685cc9 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Taskbar description: Learn about Policy CSP - ADMX_Taskbar. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Taskbar diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 227131133b..7ef48341ef 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_tcpip description: Learn about Policy CSP - ADMX_tcpip. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_tcpip diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 3f070da798..f4dd3f6be6 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TerminalServer description: Learn about Policy CSP - ADMX_TerminalServer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TerminalServer diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 4cbe4a167f..b8a2fd7483 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Thumbnails description: Learn about Policy CSP - ADMX_Thumbnails. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/25/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Thumbnails diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 477fec0b8c..776951f78d 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TouchInput description: Learn about Policy CSP - ADMX_TouchInput. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TouchInput diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index c7e72a4d44..2e39f46e4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TPM description: Learn about Policy CSP - ADMX_TPM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/25/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TPM diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index 1b4c199855..c5a2aabcc3 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_UserExperienceVirtualization description: Learn about Policy CSP - ADMX_UserExperienceVirtualization. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/30/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_UserExperienceVirtualization diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 799a90014c..f6d9875e16 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_UserProfiles description: Learn about Policy CSP - ADMX_UserProfiles. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_UserProfiles diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 7324ca3459..9ec5b2733d 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_W32Time description: Learn about Policy CSP - ADMX_W32Time. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_W32Time diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index eeeacfe4ca..d396e0aaae 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WCM description: Learn about Policy CSP - ADMX_WCM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WCM diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index a5b1ce11d8..b3a2aefd94 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WDI description: Learn about Policy CSP - ADMX_WDI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WDI diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index 81cb16ebed..410eda6d2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinCal description: Policy CSP - ADMX_WinCal -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinCal diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 08e1bacf93..c575e5f9a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsColorSystem description: Policy CSP - ADMX_WindowsColorSystem -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsColorSystem diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 59c5880a8b..8d93498e0d 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsConnectNow description: Policy CSP - ADMX_WindowsConnectNow -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsConnectNow diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index cb885ee871..5dd0274b06 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsExplorer description: Policy CSP - ADMX_WindowsExplorer -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/29/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsExplorer diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index d8b921b3e5..e2b7d6b653 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsMediaDRM description: Policy CSP - ADMX_WindowsMediaDRM -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsMediaDRM diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index dee6a3efe7..15f9ca5c47 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsMediaPlayer description: Policy CSP - ADMX_WindowsMediaPlayer -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsMediaPlayer diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 927b7686c7..902f22ebc8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsRemoteManagement description: Policy CSP - ADMX_WindowsRemoteManagement -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsRemoteManagement diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 72fffb643f..3a56097a51 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsStore description: Policy CSP - ADMX_WindowsStore -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsStore diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index 421da6c478..0f1c09fbca 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinInit description: Policy CSP - ADMX_WinInit -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/29/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinInit diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index 92bcea8397..767e746db8 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinLogon description: Policy CSP - ADMX_WinLogon -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinLogon diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 9b5ea557d1..7d744cb320 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Winsrv description: Policy CSP - ADMX_Winsrv -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Winsrv diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index aeda8eb64c..146fa04b1b 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_wlansvc description: Policy CSP - ADMX_wlansvc -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_wlansvc diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 57124ac9b3..b027226ee8 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WordWheel description: Policy CSP - ADMX_WordWheel -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WordWheel diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 3a455a27b2..56d08ee87f 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WorkFoldersClient description: Policy CSP - ADMX_WorkFoldersClient -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WorkFoldersClient diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 857a782385..6397e4e333 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WPN description: Policy CSP - ADMX_WPN -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WPN diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 08788dc5cf..db27b3a605 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ApplicationDefaults description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ApplicationDefaults diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a7f90d8ef1..a9bd9d1f06 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ApplicationManagement description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ApplicationManagement diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index a73acd40df..ab3b3c38da 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AppRuntime description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AppRuntime diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 04b7a70206..9803e28948 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AppVirtualization description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AppVirtualization diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 321527a0e3..2878642c3e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AttachmentManager description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AttachmentManager diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 2673bc236e..f70ec5324f 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,11 +1,11 @@ --- title: Policy CSP - Audit description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 --- diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index b934f952aa..b7a3091207 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,14 +1,14 @@ --- title: Policy CSP - Authentication description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: bobgil -manager: dansimp +manager: aaroncz --- # Policy CSP - Authentication diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index ac10523d39..cbccee0f6f 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Autoplay description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Autoplay diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index e56c8f51fb..7aa01b7d63 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,15 +1,15 @@ --- title: Policy CSP - BitLocker description: Use the Policy configuration service provider (CSP) - BitLocker to manage encryption of PCs and devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - BitLocker diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 19cb5e2ce2..639d2c8e86 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,15 +1,15 @@ --- title: Policy CSP - BITS -description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. -ms.author: dansimp +description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - BITS diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 8312708e30..0a044cfc57 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Bluetooth description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Bluetooth diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 2c340877a4..6da1550f1d 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4,11 +4,11 @@ description: Learn how to use the Policy CSP - Browser settings so you can confi ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz ms.localizationpriority: medium --- diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 64b48bbc40..ed98c5d85b 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Camera description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Camera diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 62837b80db..eb2180cddd 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Cellular description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Cellular diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 661ffccaf9..f4dc267b7a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Connectivity description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz --- # Policy CSP - Connectivity diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index d795f177d4..da457db759 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,14 +1,14 @@ --- title: Policy CSP - ControlPolicyConflict description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ControlPolicyConflict diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index beeffe2585..28f4edb5ec 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialProviders description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialProviders diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index e459f00b15..4236a94376 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialsDelegation description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialsDelegation diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index d126286e24..fd869a6c75 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialsUI description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialsUI diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 31ebde8cc2..1eb727623a 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Cryptography description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Cryptography diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 43dc6aeab0..9bb4559320 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DataProtection description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DataProtection diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 5e271eabfc..0950d10f87 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DataUsage -description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. -ms.author: dansimp +description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DataUsage diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 934f417af1..6c42ebfde5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Defender description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 05/12/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- @@ -1483,7 +1483,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans. +If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans. Supported values: @@ -1922,10 +1922,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Selects the time of day that the Windows Defender quick scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. +Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index f49ee66cee..f272b05108 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeliveryOptimization description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeliveryOptimization diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 4d3d97a6bd..6e4f8b2502 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Desktop description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Desktop diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 09369cf747..d34fce4b14 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceGuard description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceGuard diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 65ccf2ff72..b412a147d6 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceHealthMonitoring description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceHealthMonitoring diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ee81f379cf..9ba8e12f78 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,14 +1,14 @@ --- title: Policy CSP - DeviceInstallation ms.reviewer: -manager: dansimp +manager: aaroncz description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. -ms.author: dansimp +ms.author: vinpa ms.date: 09/27/2019 ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium --- diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 39fa89a03f..96b7ecf2c1 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceLock description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 05/16/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceLock diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 25318d988f..601c24c077 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Display description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Display diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 648380d02b..1188039966 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DmaGuard description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DmaGuard diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 94c84c45ca..9b16db9fd4 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EAP -description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. -ms.author: dansimp +description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EAP diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index edab7bcabf..1fd25bb275 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Education -description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. -ms.author: dansimp +description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Education diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index df2804c31e..2c125b1d1f 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EnterpriseCloudPrint description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EnterpriseCloudPrint diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 720f5cae3c..f387a56a6e 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ErrorReporting description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ErrorReporting diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 1616de5ece..3212b6504e 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EventLogService description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EventLogService diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ae3ff0f9a6..80986cd431 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Experience description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Experience @@ -925,10 +925,10 @@ The following list shows the supported values: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|Yes| +|Home|No|No| |Pro|No|Yes| |Windows SE|No|Yes| -|Business|No|No| +|Business|No|Yes| |Enterprise|No|Yes| |Education|No|Yes| diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 80582e1ec2..c187c4bbef 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ExploitGuard description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ExploitGuard diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index f8a8f5eea5..281f12f579 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. -ms.author: v-nsatapathy +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Feeds diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index b46e93af9c..5f49f1d40e 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - FileExplorer description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - FileExplorer diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index e6fde52f63..16a07d2e71 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Games description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Games diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 8602af165b..3146be4db8 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Handwriting description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Handwriting diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 8b672ccbbf..df30b8f920 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,15 +1,15 @@ --- title: Policy CSP - HumanPresence description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - HumanPresence diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 1f621319a6..ef76b0c2fb 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,14 +1,14 @@ --- title: Policy CSP - InternetExplorer description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - InternetExplorer @@ -4415,7 +4415,7 @@ The following list shows the supported values: ADMX Info: -- GP Friendly name: *Allows enterprises to provide their users with a single-browser experience* +- GP Friendly name: *Enable extended hot keys in Internet Explorer mode* - GP name: *EnableExtendedIEModeHotkeys* - GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -14317,4 +14317,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 5e4320bf4c..0e1fdaeb77 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Kerberos description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Kerberos diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index e5a08afafe..e1456fa569 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,15 +1,15 @@ --- title: Policy CSP - KioskBrowser description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - KioskBrowser diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 40e82cbc5d..15b727545c 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LanmanWorkstation description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LanmanWorkstation diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 80e2f0bd5a..af74d4384d 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Licensing description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Licensing diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index af2cf856e3..21dfa77d35 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LocalPoliciesSecurityOptions description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 12/16/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LocalPoliciesSecurityOptions diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 46d691f702..c2c636a46f 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LocalUsersAndGroups description: Policy CSP - LocalUsersAndGroups -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LocalUsersAndGroups diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 97ea810006..7b338795e8 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LockDown description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LockDown diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 6ee7e3956d..d62a84d748 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Maps description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Maps diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index 92d62d27ee..37bcafe0e4 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MemoryDump description: Use the Policy CSP -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MemoryDump diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index f002adc108..ea92d4a966 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Messaging description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Messaging diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index b0f1607d6b..e49f9c7be8 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,14 +1,14 @@ --- title: Policy CSP - MixedReality description: Policy CSP - MixedReality -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MixedReality @@ -22,6 +22,12 @@ manager: dansimp
MixedReality/AADGroupMembershipCacheValidityInDays
+
+ MixedReality/AllowCaptivePortalBeforeSignIn +
+
+ MixedReality/AllowLaunchUriInSingleAppKiosk +
MixedReality/AutoLogonUser
@@ -30,6 +36,12 @@ manager: dansimp
MixedReality/ConfigureMovingPlatform +
+
+ MixedReality/ConfigureNtpClient +
+
+ MixedReality/DisallowNetworkConnectivityPassivePolling
MixedReality/FallbackDiagnostics @@ -37,9 +49,21 @@ manager: dansimp
MixedReality/HeadTrackingMode
+
+ MixedReality/ManualDownDirectionDisabled +
MixedReality/MicrophoneDisabled
+
+ MixedReality/NtpClientEnabled +
+
+ MixedReality/SkipCalibrationDuringSetup +
+
+ MixedReality/SkipTrainingDuringSetup +
MixedReality/VisitorAutoLogon
@@ -79,7 +103,74 @@ Steps to use this policy correctly:
-**MixedReality/AutoLogonUser** +**MixedReality/AllowCaptivePortalBeforeSignIn** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. + +MixedReality/AllowCaptivePortalBeforeSignIn + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn` + +Bool value + + + + + + +**MixedReality/AllowLaunchUriInSingleAppKiosk** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi. + +By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. + +The OMA-URI of policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk` + +Bool value + + + + + + +**MixedReality/AutoLogonUser** @@ -90,7 +181,7 @@ Steps to use this policy correctly: |HoloLens 2|Yes| -This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in. +This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign-in. When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon. @@ -101,7 +192,7 @@ Supported value is String. - User with the same email address will have autologon enabled. -On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled. +On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign-in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled. > [!NOTE] > @@ -204,7 +295,7 @@ The following list shows the supported values: -This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). +This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). @@ -222,6 +313,107 @@ Supported value is Integer.
+ +**MixedReality/ConfigureNtpClient** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +You may want to configure a different time server for your device fleet. IT admins can use thi policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy. + +This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters. + +> [!NOTE] +> This feature requires enabling[NtpClientEnabled](#mixedreality-ntpclientenabled) as well. + +- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient` + +> [!NOTE] +> Reboot is required for these policies to take effect. + + + + + + + + +- Data Type: String +- Value: + +``` + +``` + + + +
+ + +**MixedReality/DisallowNetworkConnectivityPassivePolling** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +Windows Network Connectivity Status Indicator may get false positive Internet capable signal from passive polling. That may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point. Enabling this policy would avoid unexpected network interruptions caused by false positive NCSI passive polling. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling` + +- Bool value + + + + +
+ **MixedReality/FallbackDiagnostics** @@ -309,6 +501,46 @@ The following list shows the supported values:
+ +**MixedReality/ManualDownDirectionDisabled** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether the user can change down direction manually or not. If no down direction is set by the user, then an automatically calculated down direction is used by the system. This policy has no dependency on ConfigureMovingPlatform policy and they can be set independently. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ManualDownDirectionDisabled` + + + + + +Supported values: + +- **False (Default)** - User can manually change down direction if they desire, otherwise down direction will be determined automatically based on the measured gravity vector. +- **True** - User can’t manually change down direction and down direction will be always determined automatically based on the measured gravity vector. + + + **MixedReality/MicrophoneDisabled** @@ -349,6 +581,120 @@ The following list shows the supported values: - 1 - True + + +**MixedReality/NtpClientEnabled** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +This policy setting specifies whether the Windows NTP Client is enabled. + +- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled` + + + + + + +- Data Type: String +- Value `` + + + + +
+ + +**MixedReality/SkipCalibrationDuringSetup** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +Skips the calibration experience on HoloLens 2 devices when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to calibrate their device from the Settings app. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringSetup` + +- Bool value + + + + +
+ + +**MixedReality/SkipTrainingDuringSetup** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +On HoloLens 2 devices, skips the training experience of interactions with the humming bird and start menu training when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to learn these movement controls from the Tips app. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringSetup` + +- Bool value + + +
@@ -442,4 +788,4 @@ The following list shows the supported values: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index c85466d3ee..d2b17be697 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MSSecurityGuide description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MSSecurityGuide diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 83db3103f2..d6d732e4cf 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MSSLegacy -description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. -ms.author: dansimp +description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MSSLegacy diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 9f93048ae9..0329b17188 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Multitasking description: Policy CSP - Multitasking -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/30/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Multitasking diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 4b81789c59..d2d4a901b0 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NetworkIsolation description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NetworkIsolation diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 72328ad669..bd33a1ddfa 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NetworkListManager description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. -ms.author: v-nsatapathy +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 12/16/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NetworkListManager diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 5d8350eed5..59566c1026 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NewsAndInterests description: Learn how Policy CSP - NewsandInterests contains a list of news and interests. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NewsAndInterests @@ -34,11 +34,11 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|Yes| |Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
@@ -83,4 +83,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3039a6845a..32ddde9d1a 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Notifications description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Notifications diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index ca3d7e34bd..117535d8e7 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Power description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Power diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 3fe4de393e..bcce2e1390 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Printers -description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. -ms.author: dansimp +description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Printers diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 6f984cad6c..eef582a24e 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Privacy description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Privacy diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 0faafb160a..eb47527466 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteAssistance description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteAssistance diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 077e297205..85588a127d 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteDesktop description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteDesktop diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index bc4a782639..5d03cb7066 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteDesktopServices description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteDesktopServices @@ -33,6 +33,9 @@ manager: dansimp RemoteDesktopServices/DoNotAllowPasswordSaving
+
+ RemoteDesktopServices/DoNotAllowWebAuthnRedirection +
RemoteDesktopServices/PromptForPasswordUponConnection
@@ -130,7 +133,7 @@ ADMX Info: -Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. +Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: @@ -257,6 +260,56 @@ ADMX Info:
+ +**RemoteDesktopServices/DoNotAllowWebAuthnRedirection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). + +By default, Remote Desktop allows redirection of WebAuthn requests. + +If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session. + +If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. + +If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session. + + + +ADMX Info: +- GP Friendly name: *Do not allow WebAuthn redirection* +- GP name: *TS_WEBAUTHN* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* +- GP ADMX file name: *terminalserver.admx* + + + + +
+ **RemoteDesktopServices/PromptForPasswordUponConnection** @@ -367,4 +420,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 82936149da..ff88b2a36d 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteManagement description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteManagement diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 29a499d619..8708f25937 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteProcedureCall description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteProcedureCall diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 9596508d36..53820c929c 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteShell description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteShell diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 74e05f8d7b..4e4e6b8876 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RestrictedGroups description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 04/07/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RestrictedGroups diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 6c61c3e748..60777e520f 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Search description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Search diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 7399515109..dced08216c 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Security description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Security diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 55e1034d36..20f852795a 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,7 +1,7 @@ --- title: Policy CSP - ServiceControlManager description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 1b3303cfb8..37e5e21450 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Settings description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Settings diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index cb36588175..11d6e32c39 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,15 +1,15 @@ --- title: Policy CSP - SmartScreen description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - SmartScreen diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index f46af42add..b97360b3f1 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Speech description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Speech diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 3eacbd485d..e794d81f7b 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Start description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Start diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a9e43b4855..d0117fde5d 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Storage description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 03/25/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Storage diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b44458dd98..4e5c11cbed 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,15 +1,15 @@ --- title: Policy CSP - System description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/26/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - System diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 7ecb2141a8..dda3779328 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,15 +1,15 @@ --- title: Policy CSP - SystemServices description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - SystemServices diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 123b672f38..359565b3aa 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TaskManager description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TaskManager diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 841d5e8f3e..f6493ca356 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TaskScheduler description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TaskScheduler diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 0d6692ed2c..f2976b8893 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TextInput description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 03/03/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TextInput diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index a580e736f3..610c3a4580 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TimeLanguageSettings description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/28/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TimeLanguageSettings diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index d588058db0..44b6119a56 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,11 +1,11 @@ --- title: Policy CSP - Troubleshooting description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 --- diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 4c9d94d790..e056057f7a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Update description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 03/18/2022 +ms.date: 06/15/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- @@ -138,6 +138,9 @@ ms.collection: highpri
Update/ManagePreviewBuilds +
+
+ Update/NoUpdateNotificationDuringActiveHours
Update/PauseDeferrals @@ -2382,6 +2385,55 @@ The following list shows the supported values:
+ +**Update/NoUpdateNotificationDuringActiveHours** + + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + +Supported value type is a boolean. + +0 (Default) This configuration will provide the default behavior (notifications may display during active hours) +1: This setting will prevent notifications from displaying during active hours. + + + +ADMX Info: +- GP Friendly name: *Display options for update notifications* +- GP name: *NoUpdateNotificationDuringActiveHours* +- GP element: *NoUpdateNotificationDuringActiveHours* +- GP path: *Windows Components\WindowsUpdate\Manage end user experience* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
+ + **Update/PauseDeferrals** @@ -3253,10 +3305,7 @@ The table below shows the applicability of Windows: -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Enables the IT admin to schedule the time of the update installation. +Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation. The supported data type is an integer. @@ -3478,7 +3527,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriver** +**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** The table below shows the applicability of Windows: @@ -3508,12 +3557,12 @@ The table below shows the applicability of Windows: Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeature -- SetPolicyDrivenUpdateSourceForQuality -- SetPolicyDrivenUpdateSourceForOther +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. @@ -3527,8 +3576,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Driver from Windows Update. -- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Drivers from Windows Update. +- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS). @@ -3536,7 +3585,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeature** +**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** The table below shows the applicability of Windows: @@ -3563,15 +3612,15 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForQuality -- SetPolicyDrivenUpdateSourceForDriver -- SetPolicyDrivenUpdateSourceForOther +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. @@ -3585,8 +3634,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Feature from Windows Update. -- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS). @@ -3594,7 +3643,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOther** +**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** The table below shows the applicability of Windows: @@ -3621,15 +3670,15 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeature -- SetPolicyDrivenUpdateSourceForQuality -- SetPolicyDrivenUpdateSourceForDriver +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. @@ -3643,8 +3692,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Other from Windows Update. -- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Other updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS). @@ -3652,7 +3701,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQuality** +**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** The table below shows the applicability of Windows: @@ -3679,15 +3728,15 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeature -- SetPolicyDrivenUpdateSourceForDriver -- SetPolicyDrivenUpdateSourceForOther +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. @@ -3701,8 +3750,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Quality from Windows Update. -- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS). @@ -4013,4 +4062,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 9d126f072e..628076c675 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,15 +1,15 @@ --- title: Policy CSP - UserRights description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/24/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - UserRights diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index 4d39b65348..1647ce615c 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,15 +1,15 @@ --- title: Policy CSP - VirtualizationBasedTechnology description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: alekyaj +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - VirtualizationBasedTechnology diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5306104d5c..8d71416429 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Wifi description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Wifi diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 5f934b05bd..80be71fb1a 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsAutoPilot description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: alekyaj +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsAutoPilot diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index efce371108..8ebc7d88fe 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsConnectionManager description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain-based network and a non-domain-based network simultaneously. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsConnectionManager diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 665a0824e5..874ba7b1ce 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsDefenderSecurityCenter -description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. -ms.author: dansimp +description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsDefenderSecurityCenter diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index b6cd4ac1ab..6879085541 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsInkWorkspace description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsInkWorkspace diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4951a14248..bb762016fc 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsLogon description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsLogon diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 2aa49f3cfb..e03c8cee0e 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsPowerShell description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsPowerShell diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index 8a946c0358..b66b784a64 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,11 +1,11 @@ --- title: Policy CSP - WindowsSandbox description: Policy CSP - WindowsSandbox -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/14/2020 --- diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 54953f93ee..f3891cb68f 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WirelessDisplay description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WirelessDisplay diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index bffc844378..16bce236f5 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -2,12 +2,12 @@ title: Policy DDF file description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/28/2020 --- diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index cf2bf86897..5b0882d135 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -2,12 +2,12 @@ title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 5c41f9aa36..5f5f318d06 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -1,16 +1,16 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -MS-HAID: -- 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' -- 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' +MS-HAID: + - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' + - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index cae3527452..78bb60896b 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -2,12 +2,12 @@ title: PXLOGICAL configuration service provider description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 1934327705..50bb03819f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -2,12 +2,12 @@ title: Reboot CSP description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index ec6084c3b0..3628eaf7e4 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -2,12 +2,12 @@ title: Reboot DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index c5f35430d4..bdd37fcbbe 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -2,12 +2,12 @@ title: Reclaim seat from user description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/05/2020 --- diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index a51ff42cae..c73053417b 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -2,12 +2,12 @@ title: Register your free Azure Active Directory subscription description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 4453fedf30..96140781af 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -2,12 +2,12 @@ title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index 1cc00be86b..e92498a5f3 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -2,12 +2,12 @@ title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 0e0012bb4b..441f69fe60 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -2,12 +2,12 @@ title: RemoteRing CSP description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 39a3e28d9e..07413835c9 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -2,12 +2,12 @@ title: RemoteWipe CSP description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 --- @@ -24,9 +24,10 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. +The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. + ``` ./Vendor/MSFT RemoteWipe @@ -39,15 +40,16 @@ RemoteWipe --------LastError --------Status ``` + **doWipe** -Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command. +Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed. +Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -56,14 +58,14 @@ Supported operation is Exec. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. **doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. +Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful. -The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. +The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index b78051384b..290767b7a1 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -2,12 +2,12 @@ title: RemoteWipe DDF file description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 --- diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index b35de0f323..79814579cb 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -2,12 +2,12 @@ title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index ac2bc0f113..a18c3cb3b6 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -2,12 +2,12 @@ title: Reporting DDF file description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index ef51421942..3dc28440bd 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: REST API reference for Microsoft Store for Business description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' -- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' + - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index cbfbf19ba1..0ff47616c0 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -2,12 +2,12 @@ title: RootCATrustedCertificates CSP description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/06/2018 --- diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index cc11893ef0..67f5c3a6d7 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -2,12 +2,12 @@ title: RootCATrustedCertificates DDF file description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/07/2018 --- diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index b973e23145..2f16f647de 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -2,12 +2,12 @@ title: SecureAssessment CSP description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 9c0896a99d..67118163ea 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -2,12 +2,12 @@ title: SecureAssessment DDF file description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 0f55bf6958..a3f9722270 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -2,12 +2,12 @@ title: SecurityPolicy CSP description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index f0cade5d43..1f89f971a0 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -1,16 +1,16 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -MS-HAID: -- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' -- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' +MS-HAID: + - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' + - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index f1c190ab44..1e4509043f 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -2,12 +2,12 @@ title: SharedPC CSP description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 01/16/2019 --- diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 359f191981..1eb414317a 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -2,12 +2,12 @@ title: SharedPC DDF file description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index d9df5b94c6..03f3fe6afa 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -2,12 +2,12 @@ title: Storage CSP description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index c5870a9cb4..4d2a9283a7 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -2,12 +2,12 @@ title: Storage DDF file description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index 15ee879130..d34d3c1746 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -2,12 +2,12 @@ title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 42cfa00702..802b366a55 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -2,12 +2,12 @@ title: SUPL CSP description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/12/2019 --- diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 5d250c07da..62a7531702 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -2,12 +2,12 @@ title: SUPL DDF file description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/03/2020 --- diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 331505d70d..a7ea49f35d 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -2,12 +2,12 @@ title: SurfaceHub CSP description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/28/2017 --- @@ -508,7 +508,7 @@ If this setting is true, the device account will be used for proxy authenticatio **Properties/ProxyServers** -Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://). +Added in KB4499162 for Windows 10, version 1703. Specifies hostnames of proxy servers to automatically provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names (FQDN), without any extra prefixes (for example, https://). - The data type is string. - Supported operation is Get and Replace. @@ -551,4 +551,4 @@ Primary key for authenticating with the workspace. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 1a8a825bde..3f66986007 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -2,12 +2,12 @@ title: SurfaceHub DDF file description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index a4b4565694..c271871ce1 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -1,14 +1,14 @@ --- title: TenantLockdown CSP description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TenantLockdown CSP diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md index e85778cb28..12dc9f5348 100644 --- a/windows/client-management/mdm/tenantlockdown-ddf.md +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -1,14 +1,14 @@ --- title: TenantLockdown DDF file description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TenantLockdown DDF file diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index a95c47c94f..859cfd31fa 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,974 +1,979 @@ items: -- name: Mobile device management - href: index.md - items: - - name: What's new in MDM enrollment and management - href: new-in-windows-mdm-enrollment-management.md - items: - - name: Change history for MDM documentation - href: change-history-for-mdm-documentation.md - - name: Mobile device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices - href: mdm-enrollment-of-windows-devices.md - items: - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Federated authentication device enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment - href: on-premise-authentication-device-enrollment.md - - name: Understanding ADMX policies - href: understanding-admx-backed-policies.md - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md - - name: Implement server-side support for mobile application management on Windows - href: implement-server-side-mobile-application-management.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md - items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Enterprise app management - href: enterprise-app-management.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - items: - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md - items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md - - name: Certificate renewal - href: certificate-renewal-windows-mdm.md - - name: Disconnecting from the management infrastructure (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: OMA DM protocol support - href: oma-dm-protocol-support.md - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md - - name: Using PowerShell scripting with the WMI Bridge Provider - href: using-powershell-scripting-with-the-wmi-bridge-provider.md - - name: WMI providers supported in Windows 10 - href: wmi-providers-supported-in-windows.md - - name: Configuration service provider reference - href: configuration-service-provider-reference.md - items: - - name: AccountManagement CSP - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts CSP - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync CSP - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement CSP - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION CSP - href: application-csp.md - - name: ApplicationControl CSP - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker CSP - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess CSP - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker CSP - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings CSP - href: cellularsettings-csp.md - - name: CertificateStore CSP - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC CSP - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall CSP - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries CSP - href: cm-cellularentries-csp.md - - name: CMPolicy CSP - href: cmpolicy-csp.md - - name: CMPolicyEnterprise CSP - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI CSP - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender CSP - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail CSP - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup CSP - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock CSP - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability CSP - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus CSP - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo CSP - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog CSP - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc CSP - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient CSP - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions CSP - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement CSP - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 CSP - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking CSP - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN CSP - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement CSP - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection CSP - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement CSP - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement CSP - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs CSP - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall CSP - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation CSP - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: MultiSIM CSP - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP CSP - href: nap-csp.md - - name: NAPDEF CSP - href: napdef-csp.md - - name: NetworkProxy CSP - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy CSP - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache CSP - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office CSP - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork CSP - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: Personalization CSP - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Policy CSP - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise - href: ./configuration-service-provider-reference.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: Provisioning CSP - href: provisioning-csp.md - - name: PXLOGICAL CSP - href: pxlogical-csp.md - - name: Reboot CSP - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind CSP - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe CSP - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting CSP - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates CSP - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment CSP - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy CSP - href: securitypolicy-csp.md - - name: SharedPC CSP - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage CSP - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL CSP - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub CSP - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown CSP - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy CSP - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI CSP - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter CSP - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint CSP - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update CSP - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN CSP - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 CSP - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION CSP - href: w4-application-csp.md - - name: w7 APPLICATION CSP - href: w7-application-csp.md - - name: WiFi CSP - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory CSP - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser CSP - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection CSP - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot CSP - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard CSP - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing CSP - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork CSP - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: Mobile Device Management + href: index.yml + items: + - name: Overview + items: + - name: MDM overview + href: mdm-overview.md + - name: What's new in MDM enrollment and management + href: new-in-windows-mdm-enrollment-management.md + - name: Change history for MDM documentation + href: change-history-for-mdm-documentation.md + - name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md + - name: Device enrollment + href: mobile-device-enrollment.md + items: + - name: MDM enrollment of Windows devices + href: mdm-enrollment-of-windows-devices.md + - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Enroll a Windows 10 device automatically using Group Policy + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Federated authentication device enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication device enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication device enrollment + href: on-premise-authentication-device-enrollment.md + - name: Disconnecting a device from MDM (unenrollment) + href: disconnecting-from-mdm-unenrollment.md + - name: Understanding ADMX policies + href: understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md + - name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md + items: + - name: Enterprise app management + href: enterprise-app-management.md + items: + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md + - name: REST API reference for Microsoft Store for Business + href: rest-api-reference-windows-store-for-business.md + items: + - name: Data structures for Microsoft Store for Business + href: data-structures-windows-store-for-business.md + - name: Get Inventory + href: get-inventory.md + - name: Get product details + href: get-product-details.md + - name: Get localized product details + href: get-localized-product-details.md + - name: Get offline license + href: get-offline-license.md + - name: Get product packages + href: get-product-packages.md + - name: Get product package + href: get-product-package.md + - name: Get seats + href: get-seats.md + - name: Get seat + href: get-seat.md + - name: Assign seats + href: assign-seats.md + - name: Reclaim seat from user + href: reclaim-seat-from-user.md + - name: Bulk assign and reclaim seats from users + href: bulk-assign-and-reclaim-seats-from-user.md + - name: Get seats assigned to a user + href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md + - name: Certificate renewal + href: certificate-renewal-windows-mdm.md + - name: Using PowerShell scripting with the WMI Bridge Provider + href: using-powershell-scripting-with-the-wmi-bridge-provider.md + - name: WMI providers supported in Windows 10 + href: wmi-providers-supported-in-windows.md + - name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md + - name: Push notification support for device management + href: push-notification-windows-mdm.md + - name: MAM support for device management + href: implement-server-side-mobile-application-management.md + - name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md + - name: Configuration service provider reference + href: configuration-service-provider-reference.md + items: + - name: AccountManagement CSP + href: accountmanagement-csp.md + items: + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts CSP + href: accounts-csp.md + items: + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync CSP + href: activesync-csp.md + items: + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement CSP + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION CSP + href: application-csp.md + - name: ApplicationControl CSP + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker CSP + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess CSP + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker CSP + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings CSP + href: cellularsettings-csp.md + - name: CertificateStore CSP + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC CSP + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall CSP + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries CSP + href: cm-cellularentries-csp.md + - name: CMPolicy CSP + href: cmpolicy-csp.md + - name: CMPolicyEnterprise CSP + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI CSP + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender CSP + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail CSP + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup CSP + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock CSP + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability CSP + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus CSP + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo CSP + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog CSP + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc CSP + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient CSP + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions CSP + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement CSP + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 CSP + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking CSP + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN CSP + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement CSP + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection CSP + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement CSP + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement CSP + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs CSP + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall CSP + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation CSP + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: MultiSIM CSP + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP CSP + href: nap-csp.md + - name: NAPDEF CSP + href: napdef-csp.md + - name: NetworkProxy CSP + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy CSP + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache CSP + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office CSP + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork CSP + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: Personalization CSP + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Policy CSP + href: policy-configuration-service-provider.md + items: + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise + href: ./configuration-service-provider-reference.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: Provisioning CSP + href: provisioning-csp.md + - name: PXLOGICAL CSP + href: pxlogical-csp.md + - name: Reboot CSP + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind CSP + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe CSP + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting CSP + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates CSP + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment CSP + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy CSP + href: securitypolicy-csp.md + - name: SharedPC CSP + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage CSP + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL CSP + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub CSP + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown CSP + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy CSP + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI CSP + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter CSP + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update CSP + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN CSP + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 CSP + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION CSP + href: w4-application-csp.md + - name: w7 APPLICATION CSP + href: w7-application-csp.md + - name: WiFi CSP + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory CSP + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser CSP + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection CSP + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard CSP + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing CSP + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork CSP + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 698e2bf85e..14bb56f7ca 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -1,14 +1,14 @@ --- title: TPMPolicy CSP description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TPMPolicy CSP diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index 5cd81b56b7..42f7a373d5 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -1,14 +1,14 @@ --- title: TPMPolicy DDF file description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TPMPolicy DDF file diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index fd47c179fa..b1fd8cdde4 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -1,14 +1,14 @@ --- title: UEFI CSP description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # UEFI CSP diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index 0124a0a281..51dec0bdd7 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -1,14 +1,14 @@ --- title: UEFI DDF file description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # UEFI DDF file diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index da5516f990..c21a7a2573 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -1,14 +1,14 @@ --- title: Understanding ADMX policies description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Understanding ADMX policies diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 46abb8acab..6e9a7e9322 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -2,12 +2,12 @@ title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index 51a25e686a..f6cfcd2307 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -2,12 +2,12 @@ title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md index e7ca5d359c..bb4cae4a7b 100644 --- a/windows/client-management/mdm/universalprint-csp.md +++ b/windows/client-management/mdm/universalprint-csp.md @@ -1,32 +1,32 @@ --- title: UniversalPrint CSP description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices. -ms.author: mandia +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MandiOhlinger +author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: dougeby +manager: aaroncz --- # UniversalPrint CSP The table below shows the applicability of Windows: -|Edition|Windows 11| -|--- |--- | -|Home|No| -|Pro|Yes| -|Windows SE|Yes| -|Business|Yes| -|Enterprise|Yes| -|Education|Yes| +|Edition|Windows 11|Windows 10| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis). -This CSP was added in Windows 11. +This CSP was added in Windows 11 and in Windows 10 21H2 July 2022 update [KB5015807](https://support.microsoft.com/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41). The following example shows the UniversalPrint configuration service provider in tree format. diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md index cc624c9c29..6e8412dfa0 100644 --- a/windows/client-management/mdm/universalprint-ddf-file.md +++ b/windows/client-management/mdm/universalprint-ddf-file.md @@ -1,14 +1,14 @@ --- title: UniversalPrint DDF file description: UniversalPrint DDF file -ms.author: mandia +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MandiOhlinger +author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: dougeby +manager: aaroncz --- # UniversalPrint DDF file diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 8924365745..e7c54fb69a 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -2,12 +2,12 @@ title: Update CSP description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index 3daad32697..06da8be6f1 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -2,12 +2,12 @@ title: Update DDF file description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index 6d66ae073b..d42e777b93 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -2,12 +2,12 @@ title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index e26ae9c716..6d484acd8d 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -2,12 +2,12 @@ title: VPN CSP description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/02/2017 --- diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index a59443bf05..4cf629cb79 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -2,12 +2,12 @@ title: VPN DDF file description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 053e642943..fb60f1756f 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -2,12 +2,12 @@ title: VPNv2 CSP description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. ms.reviewer: pesmith -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2021 --- diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index d94de5b3c6..ec744e211f 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -2,12 +2,12 @@ title: VPNv2 DDF file description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. ms.reviewer: pesmith -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/30/2020 --- diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index b1daeaf543..6e67b7102c 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -1,13 +1,13 @@ --- title: ProfileXML XSD description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. -ms.reviewer: -manager: dansimp -ms.author: dansimp +ms.reviewer: +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/14/2020 --- diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index a8d705d870..7bc64259b1 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -2,12 +2,12 @@ title: w4 APPLICATION CSP description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index cf703e5dca..f5dc037820 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -2,12 +2,12 @@ title: w7 APPLICATION CSP description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 4c2daf739b..60791f3a53 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,13 +1,13 @@ --- title: WiFi CSP -description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. +description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/18/2019 --- diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index 295832f932..3f1d8d46e7 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -2,12 +2,12 @@ title: WiFi DDF file description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2018 --- diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index f822a664d9..824f17444b 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -1,14 +1,14 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32 and Desktop Bridge app ADMX policy Ingestion diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index c3d3098f0a..82a4e341dd 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -2,12 +2,12 @@ title: Win32AppInventory CSP description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index cbb05d50b8..9cd08b73e2 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -2,12 +2,12 @@ title: Win32AppInventory DDF file description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index ea3289d926..816e68336d 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -1,14 +1,14 @@ --- title: Win32CompatibilityAppraiser CSP description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32CompatibilityAppraiser CSP diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 057c668a74..56b7cbd8ed 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -1,14 +1,14 @@ --- title: Win32CompatibilityAppraiser DDF file description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32CompatibilityAppraiser DDF file diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index 6ae938bf13..0c7b48f2a8 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -1,16 +1,16 @@ --- title: Enterprise settings, policies, and app management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -MS-HAID: -- 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' -- 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' +MS-HAID: + - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' + - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 153d3dd342..48b0ea237e 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -2,12 +2,12 @@ title: WindowsAdvancedThreatProtection CSP description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 044557e1f2..cddb4f73e0 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -3,12 +3,12 @@ title: WindowsAdvancedThreatProtection DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index f1a5f8bb5b..b50630eea2 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -2,12 +2,12 @@ title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. ms.reviewer: -manager: dansimp -ms.author: v-nsatapathy +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/09/2022 --- diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index d6f71e89a4..dfc52ce96c 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,14 +1,14 @@ --- title: WindowsAutopilot DDF file description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) . -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/07/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsAutopilot DDF file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 6a9c6a3055..e8c9563d43 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,14 +1,14 @@ --- title: WindowsDefenderApplicationGuard CSP description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/02/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsDefenderApplicationGuard CSP diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index d910c1b600..c49a7214d2 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,14 +1,14 @@ --- title: WindowsDefenderApplicationGuard DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/10/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsDefenderApplicationGuard DDF file diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 0345c70924..f120a8272e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -2,12 +2,12 @@ title: WindowsLicensing CSP description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 --- diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index c570da1af6..6ebeec7c74 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -2,12 +2,12 @@ title: WindowsLicensing DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/16/2017 --- diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index ff85447bbd..dd76d25d3e 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,14 +1,14 @@ --- title: WiredNetwork CSP description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/27/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WiredNetwork CSP diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index f527c65745..9d071d2ad5 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,14 +1,14 @@ --- title: WiredNetwork DDF file -description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. -ms.author: dansimp +description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WiredNetwork DDF file diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index c185fbbae1..3026a02d56 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -1,16 +1,16 @@ --- title: WMI providers supported in Windows 10 description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -MS-HAID: -- 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' -- 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' +MS-HAID: + - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' + - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 386ac0ed29..5bc9aad966 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -2,10 +2,10 @@ title: New policies for Windows 10 (Windows 10) description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/15/2021 ms.topic: reference diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 28cd4f3642..0b4918cbd6 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -5,11 +5,12 @@ ms.prod: w10 ms.topic: article ms.technology: windows ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.reviewer: pmadrigal ms.collection: highpri +ms.date: 08/26/2022 --- # Use Quick Assist to help users @@ -18,7 +19,7 @@ Quick Assist is a Microsoft Store application that enables a person to share the ## Before you begin -All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. +All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. > [!NOTE] > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. @@ -35,24 +36,30 @@ Both the helper and sharer must be able to reach these endpoints over port 443: | Domain/Name | Description | |--|--| -| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | -| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) | -| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist | -| `*.aria.microsoft.com` | Used for accessibility features within the app | | `*.api.support.microsoft.com` | API access for Quick Assist | -| `*.vortex.data.microsoft.com` | Used for diagnostic data | +| `*.aria.microsoft.com` | Used for accessibility features within the app | +| `*.cc.skype.com` | Azure Communication Service for chat and connection between parties | | `*.channelservices.microsoft.com` | Required for chat services within Quick Assist | +| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist | +| `*.edgeassetservice.azureedge.net` | Used for diagnostic data | +| `*.flightproxy.skype.com` | Azure Communication Service for chat and connection between parties | +| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) | +| `*.monitor.azure.com` | Service Performance Monitoring | +| `*.registrar.skype.com` | Azure Communication Service for chat and connection between parties. | | `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. | +| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | +| `*.trouter.skype.com` | Azure Communication Service for chat and connection between parties. | | `*.turn.azure.com` | Protocol used to help endpoint. | +| `*.vortex.data.microsoft.com` | Used for diagnostic data | | `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | -| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | -| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | +| `edge.skype.com` | Azure Communication Service for chat and connection between parties. | +| `events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | ## How it works 1. Both the helper and the sharer start Quick Assist. -2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. +2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. 3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. @@ -89,10 +96,11 @@ Either the support staff or a user can start a Quick Assist session. 1. Support staff ("helper") starts Quick Assist in any of a few ways: - Type *Quick Assist* in the search box and press ENTER. - - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**. - - Type CTRL+Windows+Q + - Press **CTRL** + **Windows** + **Q** + - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**. + - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**. -2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. +2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. 3. Helper shares the security code with the user over the phone or with a messaging system. @@ -102,9 +110,51 @@ Either the support staff or a user can start a Quick Assist session. 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. -## If Quick Assist is missing +## Install Quick Assist -If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). +### Install Quick Assist from the Microsoft Store + +1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5). +1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**.
:::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner."::: + +For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). + +### Install Quick Assist with Intune + +Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. + +1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. +1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com). +1. Select **Manage** / **Settings** and turn on **Show offline apps**. +1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not. +1. Search for **Quick Assist** and select it from the Search results. +1. Choose the **Offline** license and select **Get the app** +1. From the Intune portal (Endpoint Manager admin center) choose **Sync**. +1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list. +1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link. +1. Assign the app to the required group of devices and choose **Review + save** to complete the application install. + +> [!NOTE] +> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context. + +Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information. + +### Install Quick Assist Offline + +To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. + +1. Start **Windows PowerShell** with Administrative privileges. +1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD <*location of package file*>) +1. Run the following command to install Quick Assist:
*Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"* +1. After Quick Assist has installed, run this command:
_Get-appxpackage \*QuickAssist* -alluser_ + +After running the command, you'll see Quick Assist 2.X is installed for the user. + +## Microsoft Edge WebView2 + +The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately. + +For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution) ## Next steps diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index d8b8b2c1b8..354b49fbea 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -6,7 +6,7 @@ ms.topic: troubleshooting author: Deland-Han ms.localizationpriority: medium ms.author: delhan -ms.date: 8/22/2019 +ms.date: 07/12/2022 ms.reviewer: dcscontentpm manager: dansimp --- @@ -183,6 +183,63 @@ To specify that you don't want to overwrite any previous kernel or complete memo - Set the **Overwrite** DWORD value to **0**. +#### Automatic Memory Dump + +This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. + +If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more information, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). + +To specify that you want to use an automatic memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugInfoType = 7 + ``` + +- Set the **CrashDumpEnabled** DWORD value to **7**. + +To specify that you want to use a file as your memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugFilePath = + ``` + +- Set the **DumpFile** Expandable String Value to \. + +To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set OverwriteExistingDebugFile = 0 + ``` + +- Set the **Overwrite** DWORD value to **0**. + +#### Active Memory Dump + +An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump. + +This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more information, see [Active Memory Dump](/windows-hardware/drivers/debugger/active-memory-dump). + +To specify that you want to use an active memory dump file, modify the registry value: + +- Set the **CrashDumpEnabled** DWORD value to **1**. +- Set the **FilterPages** DWORD value to **1**. + +To specify that you want to use a file as your memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugFilePath = + ``` + +- Set the DumpFile Expandable String Value to \. + +To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set OverwriteExistingDebugFile = 0 + ``` + +- Set the **Overwrite** DWORD value to **0**. + >[!Note] >If you contact Microsoft Support about a Stop error, you might be asked for the memory dump file that is generated by the Write Debugging Information option. @@ -191,6 +248,7 @@ To view system failure and recovery settings for your local computer, type **wmi >[!Note] >To successfully use these Wmic.exe command line examples, you must be logged on by using a user account that has administrative rights on the computer. If you are not logged on by using a user account that has administrative rights on the computer, use the **/user:user_name** and **/password:password** switches. + ### Tips - To take advantage of the dump file feature, your paging file must be on the boot volume. If you've moved the paging file to another volume, you must move it back to the boot volume before you use this feature. @@ -201,4 +259,4 @@ To view system failure and recovery settings for your local computer, type **wmi ## References -[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) \ No newline at end of file +[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 92e5722e04..d856948d89 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -1,7 +1,7 @@ items: - name: Windows client management href: index.yml - items: + items: - name: Client management tools and settings items: - name: Windows Tools/Administrative Tools @@ -29,30 +29,30 @@ items: - name: Windows libraries href: windows-libraries.md - name: Mobile device management (MDM) - items: - - name: Mobile Device Management - href: mdm/index.md + items: + - name: Mobile Device Management + href: mdm/index.yml - name: Configuration Service Provider (CSP) - items: - - name: CSP reference + items: + - name: CSP reference href: mdm/configuration-service-provider-reference.md - name: Troubleshoot Windows clients - items: - - name: Windows 10 support solutions + items: + - name: Windows 10 support solutions href: windows-10-support-solutions.md - name: Advanced troubleshooting for Windows networking href: troubleshoot-networking.md - items: + items: - name: Advanced troubleshooting Wireless network connectivity href: advanced-troubleshooting-wireless-network-connectivity.md - name: Advanced troubleshooting 802.1X authentication href: advanced-troubleshooting-802-authentication.md - items: + items: - name: Data collection for troubleshooting 802.1X authentication href: data-collection-for-802-authentication.md - name: Advanced troubleshooting for TCP/IP href: troubleshoot-tcpip.md - items: + items: - name: Collect data using Network Monitor href: troubleshoot-tcpip-netmon.md - name: "Part 1: TCP/IP performance overview" @@ -60,7 +60,7 @@ items: - name: "Part 2: TCP/IP performance underlying network issues" href: /troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network - name: "Part 3: TCP/IP performance known issues" - href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues + href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues - name: Troubleshoot TCP/IP connectivity href: troubleshoot-tcpip-connectivity.md - name: Troubleshoot port exhaustion @@ -69,7 +69,7 @@ items: href: troubleshoot-tcpip-rpc-errors.md - name: Advanced troubleshooting for Windows startup href: troubleshoot-windows-startup.md - items: + items: - name: How to determine the appropriate page file size for 64-bit versions of Windows href: determine-appropriate-page-file-size.md - name: Generate a kernel or complete crash dump diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md index 3e9561ed60..cf2bc78b5b 100644 --- a/windows/client-management/troubleshoot-networking.md +++ b/windows/client-management/troubleshoot-networking.md @@ -27,9 +27,9 @@ The following topics are available to help you troubleshoot common problems rela [802.1X authenticated wired access overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
[802.1X authenticated wireless access overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
-[Wireless cccess deployment overview](/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
+[Wireless access deployment overview](/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
[TCP/IP technical reference](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
[Network Monitor](/windows/desktop/netmon2/network-monitor)
[RPC and the network](/windows/desktop/rpc/rpc-and-the-network)
[How RPC works](/windows/desktop/rpc/how-rpc-works)
-[NPS reason codes](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
\ No newline at end of file +[NPS reason codes](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 81396fc528..1d213f059d 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -14,6 +14,8 @@ ms.collection: highpri # Advanced troubleshooting for stop or blue screen errors +

Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues + > [!NOTE] > If you're not a support agent or IT professional, you'll find more helpful information about stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad). diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md index c2ae601920..6747a6a240 100644 --- a/windows/client-management/troubleshoot-windows-startup.md +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -13,6 +13,8 @@ manager: dansimp # Advanced troubleshooting for Windows start-up issues +

Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues + In these topics, you will learn how to troubleshoot common problems that are related to Windows startup. ## How it works diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 021f22ec21..6dd2f0b24a 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -2,10 +2,10 @@ title: Windows 10 support solutions description: Learn where to find information about troubleshooting Windows 10 issues, for example BitLocker issues and bugcheck errors. ms.reviewer: kaushika -manager: dansimp +manager: aaroncz ms.prod: w10 -ms.author: kaushika -author: kaushika-msft +ms.author: vinpa +author: vinaypamnani-msft ms.localizationpriority: medium ms.topic: troubleshooting --- diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index 16ef254939..2ec424585c 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -1,13 +1,13 @@ --- ms.reviewer: -manager: dansimp +manager: aaroncz title: Windows Libraries ms.prod: windows-server-threshold -ms.author: dansimp +ms.author: vinpa ms.manager: dongill ms.technology: storage ms.topic: article -author: dansimp +author: vinaypamnani-msft description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.date: 09/15/2021 --- @@ -29,21 +29,21 @@ Windows libraries are backed by full content search and rich metadata. Libraries ## Features for Administrators -Administrators can configure and control Windows libraries in the following ways: +Administrators can configure and control Windows libraries in the following methods: - Create custom libraries by creating and deploying Library Description (*.library-ms) files. -- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.) +- Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. - Specify locations to include in a library. - Remove a default location from a library. -- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. +- Remove advanced libraries features, when the environment doesn't support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This method makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. ## More about Libraries -The following is important information about libraries you may need to understand to successfully manage your enterprise. +The following information is important in the context of libraries you may need to understand to successfully manage your enterprise. ### Library Contents -Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files. +Including a folder in a library doesn't physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files. ### Default Libraries and Known Folders @@ -57,35 +57,35 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict ### Hiding Default Libraries -Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. +Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. ### Default Save Locations for Libraries Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. -If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails. +If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. ### Indexing Requirements and “Basic” Libraries -Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality: +Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: - No support for metadata browsing via **Arrange By** views. - Grep-only searches. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. -- No support for searching from the Start menu. Start menu searches do not return files from basic libraries. +- No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No previews of file snippets for search results returned in Content mode. -To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally. +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). -If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)). +If your environment doesn't support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This enablement makes all libraries basic. For more information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)). ### Folder Redirection -While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations -The following table show which locations are supported in Windows libraries. +The following table shows which locations are supported in Windows libraries. |Supported Locations|Unsupported Locations| |---|---| @@ -98,8 +98,8 @@ The following table show which locations are supported in Windows libraries. - Expected maximum load is four concurrent query requests. - Expected indexing corpus is a maximum of one million documents. -- Users directly access the server. That is, the server is not made available through DFS Namespaces. -- Users are not redirected to another server in case of failure. That is, server clusters are not used. +- Users directly access the server. That is, the server isn't made available through DFS Namespaces. +- Users aren't redirected to another server if there's a failure. That is, server clusters aren't used. ### Library Attributes @@ -122,7 +122,7 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry) - [Federated Search Features](/previous-versions/windows/it-pro/windows-7/dd744682(v=ws.10)) - [Administrative How-to Guides](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)) - [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)) -- [Additional Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10)) +- [More Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10)) ### Other resources diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 462b458840..939d36455a 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -1,18 +1,21 @@ --- title: What version of Windows am I running? -description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build ms.prod: w10 -author: dansimp -ms.author: dansimp +ms.mktglfcycl: manage +ms.sitesec: library +author: vinaypamnani-msft +ms.author: vinpa ms.date: 04/30/2018 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: troubleshooting --- # What version of Windows am I running? -To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (GA Channel) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. +To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu @@ -22,7 +25,7 @@ You'll now see **Edition**, **Version**, and **OS Build** information. Something ![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) ## Using Keyword Search -You can simply type the following in the search bar and press **ENTER** to see version details for your device. +You can type the following in the search bar and press **ENTER** to see version details for your device. **“winver”** diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index aa66136bfb..350a9ffd87 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -2,10 +2,10 @@ title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10) description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 11/28/2017 @@ -28,27 +28,27 @@ These policy settings are available in **Administrative Templates\\Start Menu an |Policy|Notes| |--- |--- | |Clear history of recently opened documents on exit|Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.| -|Do not allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.| -|Do not display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.| -|Do not keep history of recently opened documents|Documents that the user opens are not tracked during the session.| -|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this disables all of the settings in **Settings** > **Personalization** > **Start** as well as the options in dialog available via right-click Taskbar > **Properties**| +|Don't allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.| +|Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.| +|Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.| +|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**| |Prevent users from customizing their Start Screen|Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it| -|Prevent users from uninstalling applications from Start|In Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell)| -|Remove All Programs list from the Start menu|In Windows 10, this removes the **All apps** button.| -|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.| -|Remove common program groups from Start Menu|As in earlier versions of Windows, this removes apps specified in the All Users profile from Start| -|Remove frequent programs list from the Start Menu|In Windows 10, this removes the top left **Most used** group of apps.| +|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)| +|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.| +|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.| +|Remove common program groups from Start Menu|As in earlier versions of Windows, this policy removes apps specified in the All Users profile from Start| +|Remove frequent programs list from the Start Menu|In Windows 10, this policy removes the top left **Most used** group of apps.| |Remove Logoff on the Start Menu|**Logoff** has been changed to **Sign Out** in the user interface, however the functionality is the same.| -|Remove pinned programs list from the Start Menu|In Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).| -|Show "Run as different user" command on Start|This enables the **Run as different user** option in the right-click menu for apps.| -|Start Layout|This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.| -|Force Start to be either full screen size or menu size|This applies a specific size for Start.| +|Remove pinned programs list from the Start Menu|In Windows 10, this policy removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).| +|Show "Run as different user" command on Start|This policy enables the **Run as different user** option in the right-click menu for apps.| +|Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.| +|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.| ## Deprecated Group Policy settings for Start -The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. +The Start policy settings listed below don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. | Policy | When deprecated | |----------------------------------------------------------------------------------|-----------------| @@ -90,7 +90,7 @@ The Start policy settings listed below do not work on Windows 10. Most of them - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index bf089eb4ba..53a58baf77 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,27 +1,29 @@ --- title: Configure Windows 10 taskbar (Windows 10) -description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: [taskbar layout, pin apps] ms.prod: w10 -author: aczechowski -ms.author: aaroncz +ms.mktglfcycl: manage +ms.sitesec: library +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.collection: highpri --- - # Configure Windows 10 taskbar -Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. +Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. > [!NOTE] > The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. -You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). +You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). -If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. +If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar. The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. @@ -38,8 +40,8 @@ The following example shows how apps will be pinned: Windows default apps to the **To configure the taskbar:** 1. Create the XML file. - * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. - * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. + * If you're also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. + * If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. 2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar. * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. @@ -53,7 +55,7 @@ The following example shows how apps will be pinned: Windows default apps to the ### Tips for finding AUMID and Desktop Application Link Path -In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. +In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. The easiest way to find this data for an application is to: 1. Pin the application to the Start menu on a reference or testing PC. @@ -205,7 +207,7 @@ By adding `PinListPlacement="Replace"` to ``, you ## Configure taskbar by country or region -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. +The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. ```xml @@ -324,5 +326,5 @@ The resulting taskbar for computers in any other country region: - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index e82f329a86..3790905b51 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -12,7 +12,7 @@ manager: dougeby # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization -Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. +Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant information at any given time. This information can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. >[!NOTE] >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index a342f659be..0f3bf0b348 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -12,11 +12,11 @@ manager: dougeby # Send feedback about Cortana back to Microsoft -To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues. +To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues. :::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: -To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided. +To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. The Feedback Hub is launched, where more information on the issue can be provided. :::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 633b1edf0b..1d18b8d49d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,6 +2,8 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz @@ -27,7 +29,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use Windows Information Protection, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 88b9b1e042..81cc7d9dff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -25,7 +25,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store ## Required hardware and software -Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization. +Cortana requires a PC running Windows 10, version 1703 or later, and the following software to successfully run the included scenario in your organization. >[!NOTE] >A microphone isn't required to use Cortana. @@ -34,14 +34,14 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the |---------|---------| |Client operating system | - Windows 10, version 2004 (recommended)

- Windows 10, version 1703 (legacy version of Cortana)

For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. | |Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. | -|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | +|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | >[!NOTE] >For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana. ## Signing in using Azure AD -Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/) +Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/) ## How is my data processed by Cortana? @@ -58,11 +58,11 @@ The table below describes the data handling for Cortana enterprise services. | Name | Description | |---------|---------| -|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. | +|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio isn't retained. | |**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. | -|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio is not retained. | +|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio isn't retained. | |**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. | -|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data is not used to target advertising. | +|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data isn't used to target advertising. | #### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? @@ -73,11 +73,11 @@ Cortana only begins listening for commands or queries when the wake word is dete First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. -The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. +The first decision is made by the Windows Multiple Voice Assistant platform using hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. :::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: -At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. +At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service doesn't confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 4c019223d3..32d197bae2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -1,6 +1,6 @@ --- title: Perform a quick search with Cortana at work (Windows) -description: This is a test scenario about how to perform a quick search with Cortana at work. +description: This scenario is a test scenario about how to perform a quick search with Cortana at work. ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 6a45297397..582e780d1f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -20,6 +20,6 @@ This scenario helps you find out if a time slot is free on your calendar. 3. Type **Am I free at 3 PM tomorrow?** -Cortana will respond with your availability for that time, as well as nearby meetings. +Cortana will respond with your availability for that time, and nearby meetings. :::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index b05c1179dc..dcc810fb0f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -16,7 +16,7 @@ Cortana can help employees in regions outside the US search for quick answers li 1. Select the **Cortana** icon in the taskbar. -2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You will be prompted to restart the app. +2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app. 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index ed2e51d53c..942d908f2b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -19,7 +19,7 @@ This optional scenario helps you to protect your organization’s data on a devi ## Use Cortana and WIP to protect your organization’s data -1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). +1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). 2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index fb38e50ec2..d38268d716 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -18,7 +18,7 @@ manager: dougeby Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. ## High-level process -Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. +Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be simple to complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. To enable voice commands in Cortana @@ -33,7 +33,7 @@ To enable voice commands in Cortana 2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. ## Test scenario: Use voice commands in a Microsoft Store app -While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. +While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. **To get a Microsoft Store app** 1. Go to the Microsoft Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index b2a351551c..2a50408b60 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -13,8 +13,8 @@ ms.author: aaroncz ## Before you begin -- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11. -- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md). +- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you'll need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11. +- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you'll need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md). ## Set up and configure the Bing Answers feature Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. @@ -25,7 +25,7 @@ The above experience is powered by Microsoft Bing, and Cortana sends the user qu Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users. -Users cannot enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. +Users can't enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. Sign in to the [Office Configuration Admin tool](https://config.office.com/). @@ -35,13 +35,13 @@ Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps ## How does Microsoft handle customer data for Bing Answers? -When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following: +When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following actions: 1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned. -2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. +2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. -Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. +Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index eea07d4bbe..8a9d2fec64 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -15,7 +15,7 @@ manager: dougeby >[!Important] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). -Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get this to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. +Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get something to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. >[!Important] >The Suggested reminders feature is currently only available in English (en-us). diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 5f13879817..747d7491b2 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -2,10 +2,10 @@ title: Customize and export Start layout (Windows 10) description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 069e047309..d50036f2c7 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,11 +1,11 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index 51335436d5..f9af3940ce 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,11 +1,11 @@ --- title: Configure and customize Windows 11 taskbar | Microsoft Docs description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 15c1cc2cad..dff79978bd 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -2,11 +2,11 @@ title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.collection: highpri --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index fb50dc5a39..d14d3320b6 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -2,11 +2,11 @@ title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.topic: article -ms.author: aaroncz +ms.author: lizlong ms.localizationpriority: medium ms.date: 08/05/2021 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 0a2038ce7d..33777e162b 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -2,10 +2,10 @@ title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 18a8bd0b88..ee22abf878 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif" ], "exclude": [ diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 05e5647ef7..27d56ce3c5 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -1,10 +1,10 @@ --- title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm -manager: dougeby -description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. -author: aczechowski -ms.author: aaroncz +manager: aaroncz +description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: w10 @@ -97,7 +97,7 @@ function listAumids( $userAccount ) { } ``` -The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it. +The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it. ```powershell # Get a list of AUMIDs for the current account: diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index ce8ad34838..28d7a44308 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,13 +1,16 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. +keywords: [kiosk, lockdown, assigned access] ms.prod: w10 -author: aczechowski +ms.mktglfcycl: manage +ms.sitesec: library +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.collection: highpri --- @@ -28,9 +31,9 @@ The following guidelines may help you choose an appropriate Windows app for your - Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps). -- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. +- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. -- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) cannot be used as kiosk apps. +- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps. @@ -43,16 +46,14 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode). +Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). - -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. > ->Kiosk Browser cannot access intranet websites. +>Kiosk Browser can't access intranet websites. **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11. @@ -81,8 +82,7 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat > > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. > 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). -> 3. Insert the null character string in between each URL -(e.g `www.bing.com` and `www.contoso.com`). +> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). > 4. Save the XML file. > 5. Open the project again in Windows Configuration Designer. > 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. @@ -104,10 +104,10 @@ URLs can include: - The path to the resource. - Query parameters. -Additional guidelines for URLs: +More guidelines for URLs: - If a period precedes the host, the policy filters exact host matches only. -- You cannot use user:pass fields. +- You can't use user:pass fields. - When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence. - The policy searches wildcards (*) last. - The optional query is a set of key-value and key-only tokens delimited by '&'. @@ -120,8 +120,8 @@ The following table describes the results for different combinations of blocked Blocked URL rule | Block URL exception rule | Result --- | --- | --- -`*` | `contoso.com`
`fabrikam.com` | All requests are blocked unless it is to `contoso.com, fabrikam.com,` or any of their subdomains. -`contoso.com` | `mail.contoso.com`
`.contoso.com`
`.www.contoso.com` | Block all requests to `contoso.com,` except for the main page and its mail subdomain. +`*` | `contoso.com`
`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. +`contoso.com` | `mail.contoso.com`
`.contoso.com`
`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. `youtube.com` | `youtube.com/watch?v=v1`
`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). The following table gives examples for blocked URLs. @@ -129,16 +129,16 @@ The following table gives examples for blocked URLs. | Entry | Result | |--------------------------|-------------------------------------------------------------------------------| -| `contoso.com` | Blocks all requests to contoso.com, `www.contoso.com,` and sub.www.contoso.com | +| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com | | `https://*` | Blocks all HTTPS requests to any domain. | -| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to `www.contoso.com` or `contoso.com` | +| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com | | `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. | -| `.www.contoso.com` | Blocks `www.contoso.com` but not its subdomains. | +| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. | | `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. | | `*:8080` | Blocks all requests to port 8080. | | `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. | | `192.168.1.2` | Blocks requests to 192.168.1.2. | -| `youtube.com/watch?v=V1` | Blocks youtube video with id V1. | +| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. | ### Other browsers @@ -155,24 +155,18 @@ You can create your own web browser Windows app by using the WebView class. Lear Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. -## Customize your breakout sequence - -Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience. - -There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used. - ## App configuration -Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. +Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. Check the guidelines published by your selected app and set up accordingly. ## Develop your kiosk app -Assigned access in Windows client leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. +Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). ## Test your assigned access experience -The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. +The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you've selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index aa2502cdf2..be1a9d7a92 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars +summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index fda7a6c1da..3028bbe1c0 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -2,10 +2,10 @@ title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: reference --- diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 509e5e3983..abda04599e 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -2,10 +2,10 @@ title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index c444568fe9..f2071ae8ea 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -1,12 +1,12 @@ --- title: Configure kiosks and digital signs on Windows 10/11 desktop editions ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski +author: lizgt2000 ms.topic: article ms.collection: highpri --- @@ -25,7 +25,7 @@ Some desktop devices in an enterprise serve a special purpose. For example, a PC - **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. - A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen. + A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen. ![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png) diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 219db257fb..fda5b337bf 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -2,11 +2,11 @@ title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- @@ -20,14 +20,14 @@ ms.topic: article -It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. +It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. ## Group Policy -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Azure Active Directory users. | Setting | Value | | --- | --- | @@ -65,7 +65,7 @@ Prevent access to drives from My Computer | Enabled - Restrict all drivers ## MDM policy -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). +Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact). Setting | Value | System-wide --- | --- | --- diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 2712131087..011b3f06f3 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -2,10 +2,10 @@ title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 075be3e488..b2ccf80c40 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -2,10 +2,10 @@ title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 7c13c2715e..8410a63f1f 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -2,10 +2,10 @@ title: Set up a single-app kiosk on Windows 10/11 description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 091872a845..ad0602aff4 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -2,11 +2,11 @@ title: Troubleshoot kiosk mode issues (Windows 10/11) description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index dfc4d3e91d..6a43b111e8 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -2,10 +2,10 @@ title: Validate kiosk configuration (Windows 10/11) description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index a5f84dcc40..d26ff8c364 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -2,11 +2,11 @@ title: Assigned Access configuration kiosk XML reference (Windows 10/11) description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 4552e63e33..7c5751d47e 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -2,12 +2,12 @@ title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10) description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 07/30/2018 -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index fcc521e9df..209003e5e1 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -3,9 +3,9 @@ title: Set up a multi-app kiosk on Windows 10 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.prod: w10 ms.technology: windows -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: lizgt2000 +ms.author: lizlong +manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index caeb98056f..05bf244383 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -1,11 +1,11 @@ --- title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. +description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 6eb41bde06..13dd5ee45a 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -1,14 +1,14 @@ --- title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) -description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. +description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/20/2017 ms.reviewer: -manager: dougeby +manager: aaroncz --- # Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 1bd58d5c1e..eaff525abc 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -2,10 +2,10 @@ title: Manage Wi-Fi Sense in your company (Windows 10) description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index a168bce8f6..2971e83a97 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -2,10 +2,10 @@ title: Configure cellular settings for tablets and PCs (Windows 10) description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/13/2018 diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index b37a32b863..3e4b126512 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,11 +1,11 @@ --- title: Configuration service providers for IT pros (Windows 10/11) -description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. +description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 53591bd83f..149f92d455 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,11 +1,11 @@ --- title: Provision PCs with common settings (Windows 10/11) -description: Create a provisioning package to apply common settings to a PC running Windows 10. +description: Create a provisioning package to apply common settings to a PC running Windows 10. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 45c362c928..2e3e08cf89 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -1,14 +1,14 @@ --- title: Provision PCs with apps and certificates (Windows 10) -description: Create a provisioning package to apply settings to a PC running Windows 10. +description: Create a provisioning package to apply settings to a PC running Windows 10. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: -manager: dougeby +manager: aaroncz --- # Provision PCs with apps and certificates for initial deployment (advanced provisioning) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index b35c477258..c96322afd3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -2,12 +2,12 @@ title: Provision PCs with apps (Windows 10/11) description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Provision PCs with apps diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 97a1f3bd50..f3f3796147 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,13 +1,13 @@ --- title: Apply a provisioning package (Windows 10/11) -description: Provisioning packages can be applied to a device during initial setup (OOBE) and after ("runtime"). +description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime). ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Apply a provisioning package diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index fbe7aecde9..365710b8c3 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -2,12 +2,12 @@ title: Windows Configuration Designer command-line interface (Windows 10/11) description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Windows Configuration Designer command-line interface (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 3d88ee9da1..a7fc0987ba 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -2,12 +2,12 @@ title: Create a provisioning package (Windows 10/11) description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 5d03c7ed2f..935cd2807e 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,13 +1,13 @@ --- title: How provisioning works in Windows 10/11 -description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. +description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # How provisioning works in Windows diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index bae03efaf1..6440a0c7d2 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,13 +1,13 @@ --- title: Install Windows Configuration Designer (Windows 10/11) -description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. +description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 65b4475739..36f22395b0 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -2,12 +2,12 @@ title: Create a provisioning package with multivariant settings (Windows 10/11) description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong --- # Create a provisioning package with multivariant settings diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index b37ea19251..48a18fc43e 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -2,10 +2,10 @@ title: Provisioning packages overview on Windows 10/11 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.collection: highpri diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 0698178c23..76c5aaf5a9 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -2,12 +2,12 @@ title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # PowerShell cmdlets for provisioning Windows client (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index e768666071..b203cd0294 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -2,12 +2,12 @@ title: Use a script to install a desktop app in provisioning packages (Windows 10/11) description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Use a script to install a desktop app in provisioning packages diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 6dc35cd108..553df87c89 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -2,12 +2,12 @@ title: Uninstall a provisioning package - reverted settings (Windows 10/11) description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Settings changed when you uninstall a provisioning package diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index a9bfdbcfdf..191ecb60c4 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -2,12 +2,12 @@ title: Set up a shared or guest PC with Windows 10/11 description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index dff1da75a5..572cd93eff 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -2,10 +2,10 @@ title: Set up digital signs on Windows 10/11 description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 09/20/2021 ms.topic: article diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 793a35d714..28d3a28707 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -2,11 +2,11 @@ title: Troubleshoot Start menu errors description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +ms.author: lizlong +author: lizgt2000 ms.localizationpriority: medium ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: troubleshooting ms.collection: highpri --- diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index ffcdeef194..4d719d63a3 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -2,12 +2,12 @@ title: Start layout XML for desktop editions of Windows 10 (Windows 10) description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.date: 10/02/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 20c333fb2d..23f838107a 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -3,11 +3,11 @@ title: Add image for secondary Microsoft Edge tiles (Windows 10) description: Add app tiles on Windows 10 that's a secondary tile. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz --- # Add image for secondary Microsoft Edge tiles diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index ed2728abc4..03338078f4 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -2,10 +2,10 @@ title: Configure access to Microsoft Store (Windows 10) description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 4/16/2018 @@ -94,7 +94,7 @@ You can also use Group Policy to manage access to Microsoft Store. 4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**. > [!Important] -> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store. +> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store. ## Show private store only using Group Policy diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 30ef22ea5a..cc9735faab 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -1,11 +1,11 @@ --- title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium --- diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index 40ada8b099..da0f246bc9 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -1,11 +1,11 @@ --- title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium --- diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index 7bf2b82260..0a76ddcdb0 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -34,7 +34,7 @@ This topic explains how to use the UE-V template generator and manage custom set ## Back up and restore application and Windows settings that are synchronized with UE-V -Windows Management Instrumentation (WMI) and Windows PowerShell features of UE-V allow you to restore settings packages. By using WMI and Windows PowerShell commands, you can restore application and Windows settings to their original state and restore additional settings when a user adopts a new device. +Windows Management Instrumentation (WMI) and Windows PowerShell features of UE-V allow you to restore settings packages. By using WMI and Windows PowerShell commands, you can restore application and Windows settings to their original state and restore other settings when a user adopts a new device. [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md) diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index a3d3387c57..3a98106d0c 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -56,7 +56,7 @@ This section details the XML structure of the UE-V settings location template an **Type: String** -The XML declaration must specify the XML version 1.0 attribute (<?xml version="1.0">). Settings location templates created by the UE-V template generator are saved in UTF-8 encoding, although the encoding is not explicitly specified. We recommend that you include the encoding="UTF-8" attribute in this element as a best practice. All templates included with the product specify this tag as well (see the documents in %ProgramFiles%\\Microsoft User Experience Virtualization\\Templates for reference). For example: +The XML declaration must specify the XML version 1.0 attribute (<?xml version="1.0">). Settings location templates created by the UE-V template generator are saved in UTF-8 encoding, although the encoding isn't explicitly specified. We recommend that you include the encoding="UTF-8" attribute in this element as a best practice. All templates included with the product specify this tag as well (see the documents in %ProgramFiles%\\Microsoft User Experience Virtualization\\Templates for reference). For example: `` @@ -66,28 +66,30 @@ The XML declaration must specify the XML version 1.0 attribute (<?xml version **Type: String** -UE-V uses the ```https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate``` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag: +UE-V uses the `https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag: -`` +```xml + +``` ### Data types -These are the data types for the UE-V application template schema. +These data types are the ones for the UE-V application template schema. **GUID** -GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. +GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This GUID is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. **FilenameString** FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|<>/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters). **IDString** -IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It is restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). +IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It's restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). **TemplateVersion** TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647. **Empty** -Empty refers to a null value. This is used in Process\\ShellProcess to indicate that there is no process to monitor. This value should not be used in any application templates. +Empty refers to a null value. This data type is used in Process\\ShellProcess to indicate that there's no process to monitor. This value shouldn't be used in any application templates. **Author** The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element. @@ -102,7 +104,7 @@ ProcessVersion defines a type with four child elements: **Major**, **Minor**, ** Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture. **Process** -The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element’s respective data type: +The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element's respective data type: |Element|Data Type|Mandatory| |--- |--- |--- | @@ -117,11 +119,11 @@ The Process data type is a container used to describe processes to be monitored The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence. **Path** -Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”. +Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default="False". -Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. +Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders aren't included. For registry paths, all values in the current path are captured but child registry keys aren't captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. -The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. +The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This removal may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. **FileMask** FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files. @@ -137,8 +139,8 @@ Settings is a container for all the settings that apply to a particular template |Element|Description| |--- |--- | -|Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This is useful for settings that can be applied asynchronously, such as those get/set through an API, like SystemParameterSetting.| -|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| +|Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This element is useful for settings that can be applied asynchronously, such as those settings get/set through an API, like SystemParameterSetting.| +|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those templates that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| |AlwaysApplySettings|This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.| ### Name Element @@ -147,10 +149,10 @@ Settings is a container for all the settings that apply to a particular template **Type: String** -Name specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. In general, avoid referencing version information, as this can be objected from the ProductVersion element. For example, specify `My Application` rather than `My Application 1.1`. +Name specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. In general, avoid referencing version information, as this referencing can be objected from the ProductVersion element. For example, specify `My Application` rather than `My Application 1.1`. > [!NOTE] -> UE-V does not reference external DTDs, so it is not possible to use named entities in a settings location template. For example, do not use ® to refer to the registered trade mark sign ®. Instead, use canonical numbered references to include these types of special characters, for example, &\#174 for the ® character. This rule applies to all string values in this document. +> UE-V does not reference external DTDs, so it's not possible to use named entities in a settings location template. For example, do not use ® to refer to the registered trade mark sign ®. Instead, use canonical numbered references to include these types of special characters, for example, &\#174 for the ® character. This rule applies to all string values in this document. See for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V template generator converts character entities to their Unicode representations automatically. @@ -162,7 +164,7 @@ See for a complete list of character ent **Type: String** -ID populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime (for example, see the output of the Get-UevTemplate and Get-UevTemplateProgram PowerShell cmdlets). By convention, this tag should not contain any spaces, which simplifies scripting. Version numbers of applications should be specified in this element to allow for easy identification of the template, such as `MicrosoftOffice2016Win64`. +ID populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime (for example, see the output of the Get-UevTemplate and Get-UevTemplateProgram PowerShell cmdlets). By convention, this tag shouldn't contain any spaces, which simplifies scripting. Version numbers of applications should be specified in this element to allow for easy identification of the template, such as `MicrosoftOffice2016Win64`. ### Version Element @@ -174,7 +176,7 @@ ID populates a unique identifier for a particular template. This tag becomes the **Maximum Value: 2147483647** -Version identifies the version of the settings location template for administrative tracking of changes. The UE-V template generator automatically increments this number by one each time the template is saved. Notice that this field must be a whole number integer; fractional values, such as `2.5` are not allowed. +Version identifies the version of the settings location template for administrative tracking of changes. The UE-V template generator automatically increments this number by one each time the template is saved. Notice that this field must be a whole number integer; fractional values, such as `2.5` aren't allowed. > [!TIP] > You can save notes about version changes using XML comment tags ``, for example: @@ -208,7 +210,7 @@ Version identifies the version of the settings location template for administrat **Type: String** -Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). +Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly. ### Processes and Process Element @@ -216,7 +218,7 @@ Author identifies the creator of the settings location template. Two optional ch **Type: Element** -Processes contains at least one `` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example: +Processes contain at least one `` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example: ```xml @@ -250,7 +252,7 @@ Filename refers to the actual file name of the executable as it appears in the f Valid filenames must not match the regular expression \[^\\\\\\?\\\*\\|<>/:\]+, that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon (the \\ ? \* | < > / or : characters.). > [!TIP] -> To test a string against this regex, use a PowerShell command window and substitute your executable’s name for **YourFileName**: +> To test a string against this regex, use a PowerShell command window and substitute your executable's name for **YourFileName**: `"YourFileName.exe" -match "[\\\?\*\|<>/:]+"` @@ -269,7 +271,7 @@ A value of **True** indicates that the string contains illegal characters. Here -In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplication.exe` should be specified instead of `MyApplication`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”. +In rare circumstances, the FileName value won't necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplication.exe` should be specified instead of `MyApplication`. The second example won't apply the template to the process if the actual name of the executable file is “MyApplication.exe”. ### Architecture @@ -277,9 +279,9 @@ In rare circumstances, the FileName value will not necessarily include the .exe **Type: Architecture (String)** -Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another. +Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this applicability restriction, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This applicability restriction is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another. -If this element is absent, the settings location template ignores the process’ architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply. +If this element is absent, the settings location template ignores the process’ architecture and applies to both 32-bit and 64-bit processes if the file name and other attributes apply. > [!NOTE] > UE-V does not support ARM processors in this version. @@ -292,7 +294,7 @@ If this element is absent, the settings location template ignores the process’ **Type: String** -ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This allows for more easily understood descriptions of a process where the executable name may not be obvious. For example: +ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This flexibility allows for more easily understood descriptions of a process where the executable name may not be obvious. For example: ```xml @@ -310,7 +312,7 @@ ProductName is an optional element used to identify a product for administrative **Type: String** -FileDescription is an optional tag that allows for an administrative description of the executable file. This is a free text field and can be useful in distinguishing multiple executables within a software package where there is a need to identify the function of the executable. +FileDescription is an optional tag that allows for an administrative description of the executable file. This tag is a free text field and can be useful in distinguishing multiple executables within a software package where there's a need to identify the function of the executable. For example, in a suited application, it might be useful to provide reminders about the function of two executables (MyApplication.exe and MyApplicationHelper.exe), as shown here: @@ -342,7 +344,7 @@ For example, in a suited application, it might be useful to provide reminders ab ProductVersion refers to the major and minor product versions of a file, as well as a build and patch level. ProductVersion is an optional element, but if specified, it must contain at least the Major child element. The value must express a range in the form Minimum="X" Maximum="Y" where X and Y are integers. The Minimum and Maximum values can be identical. -The product and file version elements may be left unspecified. Doing so makes the template “version agnostic”, meaning that the template will apply to all versions of the specified executable. +The product and file version elements may be left unspecified. Doing so makes the template "version agnostic", meaning that the template will apply to all versions of the specified executable. **Example 1:** @@ -368,7 +370,7 @@ File version: 5.0.2.1000 specified in the UE-V template generator produces the f ``` -**Incorrect Example 1 – incomplete range:** +**Incorrect Example 1 - incomplete range:** Only the Minimum attribute is present. Maximum must be included in a range as well. @@ -378,7 +380,7 @@ Only the Minimum attribute is present. Maximum must be included in a range as we ``` -**Incorrect Example 2 – Minor specified without Major element:** +**Incorrect Example 2 - Minor specified without Major element:** Only the Minor element is present. Major must be included as well. @@ -394,13 +396,13 @@ Only the Minor element is present. Major must be included as well. **Type: String** -FileVersion differentiates between the release version of a published application and the internal build details of a component executable. For the majority of commercial applications, these numbers are identical. Where they vary, the product version of a file indicates a generic version identification of a file, while file version indicates a specific build of a file (as in the case of a hotfix or update). This uniquely identifies files without breaking detection logic. +FileVersion differentiates between the release version of a published application and the internal build details of a component executable. For most of the commercial applications, these numbers are identical. Where they vary, the product version of a file indicates a generic version identification of a file, while file version indicates a specific build of a file (as in the example of a hotfix or update). This file version uniquely identifies files without breaking detection logic. To determine the product version and file version of a particular executable, right-click on the file in Windows Explorer, select Properties, then click on the Details tab. -Including a FileVersion element for an application allows for more granular fine-tuning detection logic, but is not necessary for most applications. The ProductVersion element settings are checked first, and then FileVersion is checked. The more restrictive setting will apply. +Including a FileVersion element for an application allows for more granular fine-tuning detection logic, but isn't necessary for most applications. The ProductVersion element settings are checked first, and then FileVersion is checked. The more restrictive setting will apply. -The child elements and syntax rules for FileVersion are identical to those of ProductVersion. +The child elements and syntax rules for FileVersion are identical to those elements and rules of ProductVersion. ```xml @@ -419,38 +421,38 @@ The child elements and syntax rules for FileVersion are identical to those of Pr ### Application Element -Application is a container for settings that apply to a particular application. It is a collection of the following fields/types. +Application is a container for settings that apply to a particular application. It's a collection of the following fields/types. |Field/Type|Description| |--- |--- | -|Name|Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| +|Name|Specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| |ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| |Description|An optional description of the template.| |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| |LocalizedDescriptions|An optional template description localized by a language locale.| |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| -|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.| +|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| +|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| +|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.| |Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).| |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".| ### Common Element -Common is similar to an Application element, but it is always associated with two or more Application elements. The Common section represents the set of settings that are shared between those Application instances. It is a collection of the following fields/types. +Common is similar to an Application element, but it's always associated with two or more Application elements. The Common section represents the set of settings that are shared between those Application instances. It's a collection of the following fields/types. |Field/Type|Description| |--- |--- | -|Name|Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| +|Name|Specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| |ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| |Description|An optional description of the template.| |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| |LocalizedDescriptions|An optional template description localized by a language locale.| |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| -|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.| +|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| +|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| +|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.| |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).| ### SettingsLocationTemplate Element @@ -459,7 +461,7 @@ This element defines the settings for a single application or a suite of applica |Field/Type|Description| |--- |--- | -|Name|Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| +|Name|Specifies a unique name for the settings location template. This type is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| |ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| |Description|An optional description of the template.| |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| @@ -468,7 +470,7 @@ This element defines the settings for a single application or a suite of applica ### Appendix: SettingsLocationTemplate.xsd -Here is the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters: +Here's the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters: ```xml diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 61ca2b8c88..f9a1b5f123 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -28,7 +28,7 @@ When the User Experience Virtualization (UE-V) service is enabled, it creates th > [!NOTE] > These tasks must remain enabled, because UE-V cannot function without them. -These scheduled tasks are not configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options. +These scheduled tasks aren't configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options. For more information about Schtasks.exe, see [Schtasks](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725744(v=ws.11)). @@ -38,11 +38,11 @@ The following scheduled tasks are included in UE-V with sample scheduled task co ### Monitor Application Settings -The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory. +The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It's runs at sign in but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory. |Task name|Default event| |--- |--- | -|\Microsoft\UE-V\Monitor Application Status|Logon| +|\Microsoft\UE-V\Monitor Application Status|Sign in| ### Sync Controller Application @@ -50,7 +50,7 @@ The **Sync Controller Application** task is used to start the Sync Controller to |Task name|Default event| |--- |--- | -|\Microsoft\UE-V\Sync Controller Application|Logon, and every 30 minutes thereafter| +|\Microsoft\UE-V\Sync Controller Application|Sign in, and every 30 minutes thereafter| For example, the following command configures the agent to synchronize settings every 15 minutes instead of the default 30 minutes. @@ -60,11 +60,11 @@ Schtasks /change /tn “Microsoft\UE-V\Sync Controller Application” /ri 15 ### Synchronize Settings at Logoff -The **Synchronize Settings at Logoff** task is used to start an application at logon that controls the synchronization of applications at logoff for UE-V. The Synchronize Settings at Logoff task runs the Microsoft.Uev.SyncController.exe file, which is located in the UE-V Agent installation directory. +The **Synchronize Settings at Logoff** task is used to start an application at sign in that controls the synchronization of applications at sign out for UE-V. The Synchronize Settings at Logoff task runs the Microsoft.Uev.SyncController.exe file, which is located in the UE-V Agent installation directory. |Task name|Default event| |--- |--- | -|\Microsoft\UE-V\Synchronize Settings at Logoff|Logon| +|\Microsoft\UE-V\Synchronize Settings at Logoff|Sign in| ### Template Auto Update @@ -88,22 +88,22 @@ The following chart provides additional information about scheduled tasks for UE |Task Name (file name)|Default Frequency|Power Toggle|Idle Only|Network Connection|Description| |--- |--- |--- |--- |--- |--- | -|**Monitor Application Settings** (UevAppMonitor.exe)|Starts 30 seconds after logon and continues until logoff.|No|Yes|N/A|Synchronizes settings for Windows (AppX) apps.| -|**Sync Controller Application** (Microsoft.Uev.SyncController.exe)|At logon and every 30 min thereafter.|Yes|Yes|Only if Network is connected|Starts the Sync Controller which synchronizes local settings with the settings storage location.| -|**Synchronize Settings at Logoff** (Microsoft.Uev.SyncController.exe)|Runs at logon and then waits for Logoff to Synchronize settings.|No|Yes|N/A|Start an application at logon that controls the synchronization of applications at logoff.| -|**Template Auto Update** (ApplySettingsCatalog.exe)|Runs at initial logon and at 3:30 AM every day thereafter.|Yes|No|N/A|Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured.| +|**Monitor Application Settings** (UevAppMonitor.exe)|Starts 30 seconds after sign in and continues until sign out.|No|Yes|N/A|Synchronizes settings for Windows (AppX) apps.| +|**Sync Controller Application** (Microsoft.Uev.SyncController.exe)|At sign in and every 30 min thereafter.|Yes|Yes|Only if Network is connected|Starts the Sync Controller that synchronizes local settings with the settings storage location.| +|**Synchronize Settings at Logoff** (Microsoft.Uev.SyncController.exe)|Runs at sign in and then waits for sign out to Synchronize settings.|No|Yes|N/A|Start an application at sign in that controls the synchronization of applications at sign out.| +|**Template Auto Update** (ApplySettingsCatalog.exe)|Runs at initial sign in and at 3:30 AM every day thereafter.|Yes|No|N/A|Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured.| **Legend** - **Power Toggle** – Task Scheduler will optimize power consumption when not connected to AC power. The task might stop running if the computer switches to battery power. -- **Idle Only** – The task will stop running if the computer ceases to be idle. By default the task will not restart when the computer is idle again. Instead the task will begin again on the next task trigger. +- **Idle Only** – The task will stop running if the computer ceases to be idle. By default the task won't restart when the computer is idle again. Instead the task will begin again on the next task trigger. - **Network Connection** – Tasks marked “Yes” only run if the computer has a network connection available. Tasks marked “N/A” run regardless of network connectivity. ### How to Manage Scheduled Tasks -To find Scheduled Tasks, perform the following: +To find Scheduled Tasks, perform the following steps: 1. Open “Schedule Tasks” on the user computer. @@ -117,9 +117,9 @@ The following additional information applies to UE-V scheduled tasks: - All task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default. -- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary. +- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings don't synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30-min default to a higher amount if necessary. -- You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. +- You don't need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (that is, Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. - The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app. diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index b8e6955c3d..4377246f93 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -34,7 +34,7 @@ The UE-V Configuration Pack includes tools to: |Configuration|Setting|Description| |--- |--- |--- | |Max package size|Enable/disable Windows app sync|Wait for sync on application start| - |Setting import delay|Sync unlisted Windows apps|Wait for sync on logon| + |Setting import delay|Sync unlisted Windows apps|Wait for sync on sign in| |Settings import notification|IT contact URL|Wait for sync timeout| |Settings storage path|IT contact descriptive text|Settings template catalog path| |Sync enablement|Tray icon enabled|Start/Stop UE-V agent service| @@ -87,7 +87,7 @@ The UE-V service policy configuration item CAB file is created using the UevTemp - **Unmanaged** to have the configuration item left at its current state - Do not remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you do not want Configuration Manager to alter current or default values. + Don't remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you don't want Configuration Manager to alter current or default values. **CurrentComputerUserPolicy** All UE-V user level settings. These entries override the machine settings for a user. The DesiredState attribute can be @@ -98,7 +98,7 @@ The UE-V service policy configuration item CAB file is created using the UevTemp - **Unmanaged** to have the configuration item left at its current state - Do not remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you do not want Configuration Manager to alter current or default values. + Don't remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you don't want Configuration Manager to alter current or default values. **Services** Entries in this section control service operation. The default configuration file contains a single entry for the UevAgentService. The DesiredState attribute can be set to **Running** or **Stopped**. @@ -112,7 +112,7 @@ The UE-V service policy configuration item CAB file is created using the UevTemp - **Cleared** to have the entry removed from UE-V control - Additional lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage. + More lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage. **Windows8AppsCurrentComputerUserPolicy** Identical to the Windows8AppsComputerPolicy with settings that override machine settings for an individual user. @@ -159,9 +159,9 @@ The result is a baseline CAB file that is ready for import into Configuration Ma ### Create the First UE-V Template Baseline -1. Create a “master” set of UE-V templates in a stable folder location visible to the machine running your ConfigMgr Admin Console. As templates are added or updated, this folder is where they are pulled for distribution. The initial list of templates can be copied from a machine with UE-V installed. The default template location is C:\\Program Files\\Microsoft User Experience Virtualization\\Templates. +1. Create a “master” set of UE-V templates in a stable folder location visible to the machine running your ConfigMgr Admin Console. As templates are added or updated, this folder is where they're pulled for distribution. The initial list of templates can be copied from a machine with UE-V installed. The default template location is C:\\Program Files\\Microsoft User Experience Virtualization\\Templates. -2. Create a text.bat file where you can add the template generator command. This is optional, but will make regeneration simpler if you save the command parameters. +2. Create a text.bat file where you can add the template generator command. This step is optional, but will make regeneration simpler if you save the command parameters. 3. Add the command and parameters to the .bat file that will generate the baseline. The following example creates a baseline that distributes Notepad and Calculator: diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index b41463da76..efe3834122 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -1,6 +1,6 @@ --- title: Deploy required UE-V features -description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings. +description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. author: aczechowski ms.prod: w10 ms.date: 04/19/2017 @@ -19,7 +19,7 @@ To get up and running with User Experience Virtualization (UE-V), install and co - [Deploy a settings storage location](#deploy-a-ue-v-settings-storage-location) that is accessible to end users. - This is a standard network share that stores and retrieves user settings. + This feature is a standard network share that stores and retrieves user settings. - [Choose the configuration method for UE-V](#choose-the-configuration-method-for-ue-v) @@ -85,10 +85,10 @@ The UE-V service dynamically creates a user-specific settings storage path, with | Creator/owner | Full control | Subfolders and files only | | Security group of UE-V users | List folder/read data, create folders/append data | This folder only | -With this configuration, the UE-V service creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users cannot access it. +With this configuration, the UE-V service creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users can't access it. **Note** -If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: +If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this extra security, specify this setting in the Windows Server Registry Editor: 1. Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**. @@ -100,7 +100,7 @@ The UE-V service uses Active Directory (AD) by default if you don’t define a s ## Choose the Configuration Method for UE-V -You’ll need to decide which configuration method you'll use to manage UE-V after deployment since this will be the configuration method you use to deploy the UE-V Agent. Typically, this is the configuration method that you already use in your environment, such as Windows PowerShell or Configuration Manager. +You’ll need to decide which configuration method you'll use to manage UE-V after deployment since this configuration method is the one you'll use to deploy the UE-V Agent. Typically, this configuration method is the one that you already use in your environment, such as Windows PowerShell or Configuration Manager. You can configure UE-V before, during, or after you enable the UE-V service on user devices, depending on the configuration method that you use. diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index fad99aed73..883ee35328 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -15,9 +15,9 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator. +User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those settings included in the default templates, you can create your own custom settings location templates with the UE-V template generator. -After you’ve reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) and decided that you want to synchronize settings for custom applications (third-party, line-of-business, e.g.), you’ll need to deploy the features of UE-V described in this topic. +After you’ve reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) and decided that you want to synchronize settings for custom applications (for example, third-party, line-of-business), you’ll need to deploy the features of UE-V described in this topic. To start, here are the main steps required to synchronize settings for custom applications: @@ -52,7 +52,7 @@ Before you start deploying the UE-V features that handle custom applications, re ### The UE-V template generator -Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator does not create settings location templates for the following types of applications: +Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator doesn't create settings location templates for the following types of applications: - Virtualized applications @@ -63,11 +63,11 @@ Use the UE-V template generator to monitor, discover, and capture the locations - Windows applications >**Note** -UE-V settings location templates cannot be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md). +UE-V settings location templates can't be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md). -**Excluded Locations:** The discovery process excludes locations that commonly store application software files that do not synchronize settings well between user computers or computing environments. By default, these are excluded: +**Excluded Locations:** The discovery process excludes locations that commonly store application software files that don't synchronize settings well between user computers or computing environments. By default, these files are excluded: -- HKEY\_CURRENT\_USER registry keys and files to which the logged-on user cannot write values +- HKEY\_CURRENT\_USER registry keys and files to which the signed-in user can't write values - HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system @@ -83,7 +83,7 @@ If registry keys and files that are stored in excluded locations are required to ### Replace the default Microsoft templates -A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1607. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you will need to include the default templates with the custom templates in the settings template catalog. +A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1607. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you'll need to include the default templates with the custom templates in the settings template catalog. >**Important** After you enable the UE-V service, you’ll need to register the settings location templates using the `Register-UevTemplate` cmdlet in Windows PowerShell. @@ -95,7 +95,7 @@ If there are customized templates in the settings template catalog that use the You can replace the default templates by using the UE-V Windows PowerShell features. To replace the default Microsoft template with Windows PowerShell, unregister all of the default Microsoft templates, and then register the customized templates. -Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages are not read by the UE-V service, but neither are they automatically deleted. +Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages aren't read by the UE-V service, but neither are they automatically deleted. ### Install the UEV template generator @@ -209,7 +209,7 @@ Use the UE-V template generator to create settings location templates for line-o 11. Click **Close** to close the settings template wizard. Exit the UE-V template generator application. -12. After you have created the settings location template for an application, test the template. Deploy the template in a lab environment before you put it into production in the enterprise. +12. After you've created the settings location template for an application, test the template. Deploy the template in a lab environment before you put it into production in the enterprise. See [Application template schema reference for UE-V](uev-application-template-schema-reference.md) for details about the XML structure of the UE-V settings location template and for guidance about editing these files. diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 1aa6e9f43e..60b4b6dd82 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -15,7 +15,7 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore additional settings when a user adopts a new device. +As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore more settings when a user adopts a new device. ## Restore Settings in UE-V when a User Adopts a New Device @@ -30,7 +30,7 @@ Set-UevTemplateProfile -ID -Profile - <backup> can either be Backup or Roaming -When replacing a user’s device, UE-V automatically restores settings if the user’s domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically. +When a user’s device is being replaced, UE-V automatically restores settings if the user’s domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically. You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell: @@ -40,7 +40,7 @@ Restore-UevBackup -ComputerName where <ComputerName> is the computer name of the device. -Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile. +Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings can't be included in a roaming profile. As part of the Backup/Restore feature, UE-V added **last known good (LKG)** to the options for rolling back to settings. In this release, you can roll back to either the original settings or LKG settings. The LKG settings let users roll back to an intermediate and stable point ahead of the pre-UE-V state of the settings. @@ -74,7 +74,7 @@ Templates designated BackupOnly include settings specific to that device that sh **Settings packages location within the Settings Storage Location template** -Roaming Profile settings are stored on the settings storage location. Templates assigned to the Backup or the BackupOnly profile store their settings to the Settings Storage Location in a special Device name directory. Each device with templates in these profiles has its own device name. UE-V does not clean up these directories. +Roaming Profile settings are stored on the settings storage location. Templates assigned to the Backup or the BackupOnly profile store their settings to the Settings Storage Location in a special Device name directory. Each device with templates in these profiles has its own device name. UE-V doesn't clean up these directories. **Backup trigger** @@ -123,7 +123,7 @@ WMI and Windows PowerShell commands let you restore application and Windows sett |`Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserSettings -Name RestoreByTemplateId -ArgumentList `|Restores the user settings for an application or restores a group of Windows settings.| >[!NOTE] ->UE-V does not provide a settings rollback for Windows apps. +>UE-V doesn't provide a settings rollback for Windows apps. ## Related topics diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index ab70b3209a..b6ebd53d9d 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -41,8 +41,8 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m |`Set-UevConfiguration -Computer -DisableFirstUseNotification`|Configures the UE-V service to not display notification the first time that the service runs for all users on the computer.| |`Set-UevConfiguration -Computer -EnableSettingsImportNotify`|Configures the UE-V service to notify all users on the computer when settings synchronization is delayed.

Use the DisableSettingsImportNotify parameter to disable notification.| |`Set-UevConfiguration -CurrentComputerUser -EnableSettingsImportNotify`|Configures the UE-V service to notify the current user when settings synchronization is delayed.

Use the DisableSettingsImportNotify parameter to disable notification.| - |`Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| - |`Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| + |`Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that aren't explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| + |`Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that aren't explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| |`Set-UevConfiguration -Computer -DisableSync`|Disables UE-V for all the users on the computer.

Use the EnableSync parameter to enable or re-enable.| |`Set-UevConfiguration -CurrentComputerUser -DisableSync`|Disables UE-V for the current user on the computer.

Use the EnableSync parameter to enable or re-enable.| |`Set-UevConfiguration -Computer -EnableTrayIcon`|Enables the UE-V icon in the notification area for all users of the computer.

Use the DisableTrayIcon parameter to disable the icon.| @@ -97,7 +97,7 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m |`$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration`

`$config. = `

`$config.Put()`|Updates a specific per-computer setting. To clear the setting, use $null as the setting value.| |`$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration`

`$config. = `

`$config.Put()`|Updates a specific per-user setting for all users of the computer. To clear the setting, use $null as the setting value.| -When you are finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations. +When you're finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations. `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration` diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index eaa34a41eb..2716fc1659 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -21,7 +21,7 @@ In the lifecycle of a User Experience Virtualization (UE-V) deployment, you migh - Migration of a settings storage location share from a test server to a production server -Simply copying the files and folders does not preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share. +Simply copying the files and folders doesn't preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share. **To preserve UE-V settings packages when you migrate to a new server** diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 38b78b9d47..f44d3f47be 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -15,13 +15,13 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you’re planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic. +Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you're planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic. ## Plan your UE-V deployment With UE-V, you can synchronize user-defined application and operating system settings across all the devices that a user works from. Use UE-V to synchronize settings for Windows applications and custom applications, such as third-party and line-of-business applications. -Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, you’ll need to first deploy the features required to use UE-V. +Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, you'll need to first deploy the features required to use UE-V. [Deploy required UE-V features](uev-deploy-required-features.md) @@ -29,7 +29,7 @@ Whether you want to synchronize settings for only default Windows applications o - [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers -If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional additional UE-V features: +If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional extra UE-V features: [Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md) @@ -49,11 +49,11 @@ The workflow diagram below illustrates a typical UE-V deployment and the decisio ### Planning a UE-V deployment -Review the following topics to determine which UE-V components you’ll be deploying. +Review the following topics to determine which UE-V components you'll be deploying. - [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications) - If you want to synchronize settings for custom applications, you’ll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks: + If you want to synchronize settings for custom applications, you'll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks: - Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment). @@ -79,11 +79,7 @@ This section explains which settings are synchronized by default in UE-V, includ - A statement of support for Windows applications setting synchronization -For downloadable UE-V templates, see: - -- [Microsoft Authored Office 2016 UE-V Templates](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8) - -- [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367) (for Office 2013 and Office 2010) +For downloadable UE-V templates, see: [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367) ### Desktop applications synchronized by default in UE-V @@ -91,16 +87,16 @@ When you enable the UE-V service on user devices, it registers a default group o | Application category | Description | |-----------------------------|-------------------| -| Microsoft Office 2016 applications
[Download a list of all settings synced](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8) | Microsoft Access 2016
Microsoft Lync 2016
Microsoft Excel 2016
Microsoft OneNote 2016
Microsoft Outlook 2016
Microsoft PowerPoint 2016
Microsoft Project 2016
Microsoft Publisher 2016
Microsoft SharePoint Designer 2013 (not updated for 2016)
Microsoft Visio 2016
Microsoft Word 2016
Microsoft Office Upload Manager
Microsoft Infopath has been removed (deprecated) from the Office 2016 suite | +| Microsoft Office 2016 applications | Microsoft Access 2016
Microsoft Lync 2016
Microsoft Excel 2016
Microsoft OneNote 2016
Microsoft Outlook 2016
Microsoft PowerPoint 2016
Microsoft Project 2016
Microsoft Publisher 2016
Microsoft SharePoint Designer 2013 (not updated for 2016)
Microsoft Visio 2016
Microsoft Word 2016
Microsoft Office Upload Manager
Microsoft Infopath has been removed (deprecated) from the Office 2016 suite | | Microsoft Office 2013 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013
Microsoft Excel 2013
Microsoft Outlook 2013
Microsoft Access 2013
Microsoft Project 2013
Microsoft PowerPoint 2013
Microsoft Publisher 2013
Microsoft Visio 2013
Microsoft InfoPath 2013
Microsoft Lync 2013
Microsoft OneNote 2013
Microsoft SharePoint Designer 2013
Microsoft Office 2013 Upload Center
Microsoft OneDrive for Business 2013 | Microsoft Office 2010 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010
Microsoft Excel 2010
Microsoft Outlook 2010
Microsoft Access 2010
Microsoft Project 2010
Microsoft PowerPoint 2010
Microsoft Publisher 2010
Microsoft Visio 2010
Microsoft SharePoint Workspace 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft OneNote 2010
Microsoft SharePoint Designer 2010 | -| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
**Note**
UE-V does not roam settings for Internet Explorer cookies. | +| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
**Note**
UE-V doesn't roam settings for Internet Explorer cookies. | | Windows accessories | Microsoft NotePad, WordPad | > [!NOTE] > - An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization. > -> - UE-V does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems. +> - UE-V doesn't synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems. ### Windows settings synchronized by default @@ -110,17 +106,17 @@ UE-V includes settings location templates that capture settings values for these |----------------------|-----------------|--------------|---------------|-------------------| | Desktop background | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled | | Ease of Access | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled | -| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, additional clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled | +| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, more clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled | > [!IMPORTANT] -> UE-V roams taskbar settings between Windows 10 devices. However, UE-V does not synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions. +> UE-V roams taskbar settings between Windows 10 devices. However, UE-V doesn't synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions. | Settings group | Category | Capture | Apply | |--------------------------|----------------|----------------|--------------| | **Application Settings** | Windows applications | Close application
Windows application settings change event | Start the UE-V App Monitor at startup
Open app
Windows application settings change event
Arrival of a settings package | | | Desktop applications | Application closes | Application opens and closes | | **Desktop settings** | Desktop background | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs | -| | Ease of Access (Common – Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on | +| | Ease of Access (Common - Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on | | | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse) | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs | | | Desktop settings | Lock or log off | Log on | @@ -146,11 +142,11 @@ Printer roaming in UE-V requires one of these scenarios: - The printer driver can be imported from Windows Update. > [!NOTE] -> The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided. +> The UE-V printer roaming feature doesn't roam printer settings or preferences, such as printing double-sided. ### Determine whether you need settings synchronized for other applications -After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise. +After you've reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise. As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments. @@ -164,21 +160,21 @@ In general, you can synchronize settings that meet the following criteria: ### Checklist for evaluating custom applications -If you’ve decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you’ll include. +If you've decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you'll include. |   | Description | |-------|--------------------------| | ![Checklist box.](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? | | ![Checklist box.](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized? | | ![Checklist box.](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. | -| ![Checklist box.](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. | -| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. | -| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.| +| ![Checklist box.](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations don't consistently synchronize across sessions and can cause a poor application experience. | +| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually shouldn't synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. | +| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that shouldn't synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this extra data can cause a poor application experience.| | ![Checklist box.](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. | ## Other considerations when preparing a UE-V deployment -You should also consider these things when you are preparing to deploy UE-V: +You should also consider these things when you're preparing to deploy UE-V: - [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v) @@ -196,19 +192,19 @@ You should also consider these things when you are preparing to deploy UE-V: ### Managing credentials synchronization in UE-V -Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid re-entering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V. +Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid reentering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V. > [!IMPORTANT] > Credentials synchronization is disabled by default. You must explicitly enable credentials synchronization after you enable the UE-V service to implement this feature. -UE-V can synchronize enterprise credentials, but does not roam credentials intended only for use on the local device. +UE-V can synchronize enterprise credentials, but doesn't roam credentials intended only for use on the local device. -Credentials are synchronous settings, meaning that they are applied to users' profiles the first time they log on to their devices after UE-V synchronizes. +Credentials are synchronous settings, meaning that they're applied to users' profiles the first time they log on to their devices after UE-V synchronizes. Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings. > [!IMPORTANT] -> If you are using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization. +> If you're using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization. [PowerShell](uev-administering-uev-with-windows-powershell-and-wmi.md)**:** Enter this PowerShell cmdlet to enable credential synchronization: @@ -250,7 +246,7 @@ Credential files saved by applications into the following locations are synchron - %UserProfile%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\ -Credentials saved to other locations are not synchronized by UE-V. +Credentials saved to other locations aren't synchronized by UE-V. ### Windows applications settings synchronization @@ -260,13 +256,13 @@ UE-V manages Windows application settings synchronization in three ways: - **Windows applications list:** Synchronize a list of Windows applications -- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that are not in the Windows applications list. +- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that aren't in the Windows applications list. For more information, see the [Windows Application List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist). ### Custom UE-V settings location templates -If you are deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices. +If you're deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices. Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell. @@ -286,7 +282,7 @@ UE-V downloads new user settings information from a settings storage location an - When the Sync Controller Application scheduled task is run -If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they are opened and closed with preferred settings. +If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they're opened and closed with preferred settings. This scenario also applies to Windows settings. If the Windows settings on computer B should be the same as the Windows settings on computer A, then the user should log on and log off computer A first. @@ -298,7 +294,7 @@ Specify your requirements for UE-V with standard disk capacity and network healt UE-V uses a Server Message Block (SMB) share for the storage of settings packages. The size of settings packages varies depending on the settings information for each application. While most settings packages are small, the synchronization of potentially large files, such as desktop images, can result in poor performance, particularly on slower networks. -To reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location. +To reduce problems with network latency, create settings storage locations on the same local networks where the users' computers reside. We recommend 20 MB of disk space per user for the settings storage location. By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy objects](uev-configuring-uev-with-group-policy-objects.md). @@ -308,17 +304,17 @@ The UE-V settings storage location and settings template catalog support storing - Format the storage volume with an NTFS file system. -- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see: +- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see: - [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles) - [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](/troubleshoot/windows-server/networking/support-policy-for-dfsr-dfsn-deployment) - In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication. + In addition, because SYSVOL uses DFSR for replication, SYSVOL can't be used for UE-V data file replication. - Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md). -- Use file server clustering along with the UE-V service to provide access to copies of user state data in the event of communications failures. +- Use file server clustering along with the UE-V service to provide access to copies of user state data if communications failures occur. - You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both. @@ -339,7 +335,7 @@ Before you proceed, ensure that your environment meets these requirements for us > [!NOTE] > - Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed. > -> - The “Delete Roaming Cache” policy for mandatory profiles is not supported with UE-V and should not be used. +> - The “Delete Roaming Cache” policy for mandatory profiles isn't supported with UE-V and shouldn't be used. There are no special random access memory (RAM) requirements specific to UE-V. @@ -357,7 +353,7 @@ Sync Provider is the default setting for users and synchronizes a local cache wi A scheduled task manages this synchronization of settings every 30 minutes or through trigger events for certain applications. For more information, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md). -The UE-V service synchronizes user settings for devices that are not always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions). +The UE-V service synchronizes user settings for devices that aren't always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions). **Synchronization for computers with always-available connections** When you use UE-V on devices that are always connected to the network, you must configure the UE-V service to synchronize settings by using the *SyncMethod=None* parameter, which treats the settings storage server as a standard network share. In this configuration, the UE-V service can be configured to notify if the import of the application settings is delayed. diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index 67badc0dbf..743b218e4a 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -1,6 +1,6 @@ --- title: User Experience Virtualization (UE-V) Release Notes -description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation. +description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation. author: aczechowski ms.prod: w10 ms.date: 04/19/2017 @@ -15,7 +15,7 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -This topic includes information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation. If there are differences between the information in this topic and other UE-V topics, the latest change should be considered authoritative. +This topic includes information required to successfully install and use UE-V that isn't included in the User Experience Virtualization (UE-V) documentation. If there are differences between the information in this topic and other UE-V topics, the latest change should be considered authoritative. ### Company Settings Center removed in UE-V for Windows 10, version 1607 @@ -44,33 +44,33 @@ When a user generates a valid settings location template for the Skype desktop a WORKAROUND: Remove or unregister the Skype template to allow Skype to work again. -### Registry settings do not synchronize between App-V and native applications on the same device +### Registry settings don't synchronize between App-V and native applications on the same device -When a device has an application that is installed through both Application Virtualization (App-V) and locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies. +When a device has an application that is installed through both Application Virtualization (App-V) and locally with a Windows Installer (.msi) file, the registry-based settings don't synchronize between the technologies. WORKAROUND: To resolve this problem, run the application by selecting one of the two technologies, but not both. ### Unpredictable results when both Office 2010 and Office 2013 are installed on the same device -When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be large or result in unpredictable conflicts with 2013, particularly if Office 365 is used. +When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This roaming could cause the Office 2010 package size to be large or result in unpredictable conflicts with 2013, particularly if Office 365 is used. WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V. ### Uninstallation and reinstallation of Windows 8 applications reverts settings to initial state -While using UE-V settings synchronization for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application’s settings revert to their default values. This result happens because the uninstall removes the local (cached) copy of the application’s settings but does not remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gathers the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications. +While UE-V settings synchronization is being used for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application’s settings revert to their default values. This result happens because the uninstall removes the local (cached) copy of the application’s settings but doesn't remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gathers the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications. WORKAROUND: None. -### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office +### UE-V doesn't support roaming settings between 32-bit and 64-bit versions of Microsoft Office -We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office. +We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V doesn't support roaming settings between 32-bit and 64-bit versions of Office. WORKAROUND: None -### Favicons that are associated with Internet Explorer 9 favorites do not roam +### Favicons that are associated with Internet Explorer 9 favorites don't roam -The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer. +The favicons that are associated with Internet Explorer 9 favorites aren't roamed by User Experience Virtualization and don't appear when the favorites first appear on a new computer. WORKAROUND: Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser. @@ -84,7 +84,7 @@ WORKAROUND: Use folder redirection or some other technology to ensure that any f Keep settings storage paths as short as possible. Long paths could prevent resolution or synchronization. UE-V uses the Settings storage path as part of the calculated path to store settings. That path is calculated in the following way: settings storage path + "settingspackages" + package dir (template ID) + package name (template ID) + .pkgx. If that calculated path exceeds 260 characters, package storage will fail and generate the following error message in the UE-V operational event log: -\[boost::filesystem::copy\_file: The system cannot find the path specified\] +\[boost::filesystem::copy\_file: The system can't find the path specified\] To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational. @@ -92,7 +92,7 @@ WORKAROUND: None. ### Some operating system settings only roam between like operating system versions -Operating system settings for Narrator and currency characters specific to the locale (that is, language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8. +Operating system settings for Narrator and currency characters specific to the locale (that is, language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters won't roam between Windows 7 and Windows 8. WORKAROUND: None diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index b7dc73d2d0..d6c504b837 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -23,13 +23,13 @@ This topic contains a brief overview of accounts and groups, log files, and othe > [!IMPORTANT] > When you create the settings storage share, limit the share access to users who require access. -Because settings packages might contain personal information, you should take care to protect them as well as possible. In general, do the following: +Because settings packages might contain personal information, you should take care to protect them as much as possible. In general, do the following steps: - Restrict the share to only those users who require access. Create a security group for users who have redirected folders on a particular share and limit access to only those users. -- When you create the share, hide the share by putting a $ after the share name. This addition hides the share from casual browsers, and the share is not visible in My Network Places. +- When you create the share, hide the share by putting a $ after the share name. This addition hides the share from casual browsers, and the share isn't visible in My Network Places. -- Only give users the minimum amount of permissions that they must have. The following tables show the required permissions. +- Only give users the minimum number of permissions that they must have. The following tables show the required permissions. 1. Set the following share-level SMB permissions for the setting storage location folder. @@ -59,10 +59,10 @@ Because settings packages might contain personal information, you should take ca |User account|Recommended permissions|Apply to| |--- |--- |--- | - |Creator/Owner|Full control|This folder, sub-folders, and files| - |Domain Computers|List folder contents and Read permissions|This folder, sub-folders, and files| + |Creator/Owner|Full control|This folder, subfolders, and files| + |Domain Computers|List folder contents and Read permissions|This folder, subfolders, and files| |Everyone|No permissions|No permissions| - |Administrators|Full Control|This folder, sub-folders, and files| + |Administrators|Full Control|This folder, subfolders, and files| ### Use Windows Server as of Windows Server 2003 to host redirected file shares @@ -72,9 +72,9 @@ User settings data is vulnerable to these potential threats: interception of the As of Windows Server 2003, several features of the Windows Server operating system can help secure user data: -- **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2003. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client does not know whether the server is valid. This difference is particularly important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos is not available on the Microsoft Windows NT Server 4.0 or earlier operating systems. +- **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2003. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client doesn't know whether the server is valid. This difference is important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos isn't available on the Microsoft Windows NT Server 4.0 or earlier operating systems. -- **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures the following: +- **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures that: - Roamed data is safe from data modification while data is en route. @@ -82,23 +82,23 @@ As of Windows Server 2003, several features of the Windows Server operating sys - Roamed data is safe from access by unauthenticated parties. -- **SMB Signing** - The Server Message Block (SMB) authentication protocol supports message authentication, which prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB. The digital signature is then verified by both the client and the server. In order to use SMB signing, you must first either enable it, or you must require it on both the SMB client and the SMB server. Note that the SMB signing imposes a performance penalty. It does not consume any more network bandwidth, but it uses more CPU cycles on the client and server side. +- **SMB Signing** - The Server Message Block (SMB) authentication protocol supports message authentication, which prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB. The digital signature is then verified by both the client and the server. In order to use SMB signing, you must first either enable it, or you must require it on both the SMB client and the SMB server. The SMB signing imposes a performance penalty. It doesn't consume any more network bandwidth, but it uses more CPU cycles on the client and server side. ### Always use the NTFS file system for volumes that hold user data For the most secure configuration, configure servers that host the UE-V settings files to use the NTFS file system. Unlike the FAT file system, NTFS supports Discretionary access control lists (DACLs) and system access control lists (SACLs). DACLs and SACLs control who can perform operations on a file and what events trigger the logging of actions that is performed on a file. -### Do not rely on EFS to encrypt user files when they are transmitted over the network +### Don't rely on EFS to encrypt user files when they're transmitted over the network -When you use the Encrypting File System (EFS) to encrypt files on a remote server, the encrypted data is not encrypted during transit over the network; it only becomes encrypted when it is stored on disk. +When you use the Encrypting File System (EFS) to encrypt files on a remote server, the encrypted data isn't encrypted during transit over the network; it only becomes encrypted when it's stored on disk. -This encryption process does not apply when your system includes Internet Protocol security (IPsec) or Web Distributed Authoring and Versioning (WebDAV). IPsec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before it is copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it is stored on the server. +This encryption process doesn't apply when your system includes Internet Protocol security (IPsec) or Web Distributed Authoring and Versioning (WebDAV). IPsec encrypts data while it's transported over a TCP/IP network. If the file is encrypted before it's copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it's stored on the server. ### Let the UE-V service create folders for each user To ensure that UE-V works optimally, create only the root share on the server, and let the UE-V service create the folders for each user. UE-V creates these user folders with the appropriate security. -This permission configuration enables users to create folders for settings storage. The UE-V service creates and secures a settings package folder while it runs in the context of the user. Users receive full control to their settings package folder. Other users do not inherit access to this folder. You do not have to create and secure individual user directories. The UE-V service that runs in the context of the user does it automatically. +This permission configuration enables users to create folders for settings storage. The UE-V service creates and secures a settings package folder while it runs in the context of the user. Users receive full control to their settings package folder. Other users don't inherit access to this folder. You don't have to create and secure individual user directories. The UE-V service that runs in the context of the user does it automatically. > [!NOTE] > Additional security can be configured when a Windows Server is used for the settings storage share. UE-V can be configured to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable additional security, use the following command: @@ -107,12 +107,12 @@ This permission configuration enables users to create folders for settings stora 2. Set the registry key value to *1*. -When this configuration setting is in place, the UE-V service verifies that the local Administrators group or current user is the owner of the settings package folder. If not, then the UE-V service does not grant access to the folder. +When this configuration setting is in place, the UE-V service verifies that the local Administrators group or current user is the owner of the settings package folder. If not, then the UE-V service doesn't grant access to the folder. If you must create folders for the users, ensure that you have the correct permissions set. -We strongly recommend that you do not pre-create folders. Instead, let the UE-V service create the folder for the user. +We strongly recommend that you don't pre-create folders. Instead, let the UE-V service create the folder for the user. ### Ensure correct permissions to store UE-V 2 settings in a home directory or custom directory @@ -120,9 +120,9 @@ If you redirect UE-V settings to a user’s home directory or a custom Active Di ### Review the contents of settings location templates and control access to them as needed -When creating a settings location template, the UE-V generator uses a Lightweight Directory Access Protocol (LDAP) query to get username and email address of the current logged in user. This information is stored in the template as the template author name and template author email. (None of this information is sent to Microsoft.) +When a settings location template is being created, the UE-V generator uses a Lightweight Directory Access Protocol (LDAP) query to get username and email address of the current logged in user. This information is stored in the template as the template author name and template author email. (None of this information is sent to Microsoft.) -If you plan to share settings location templates with anyone outside your organization you should review all the settings locations and ensure the settings location templates do not contain any personal or company information. You can view the contents by opening the settings location template files using any XML viewer. The following are ways you can view and remove any personal or company information from the settings location template files before sharing with anyone outside your company: +If you plan to share settings location templates with anyone outside your organization, you should review all the settings locations and ensure the settings location templates don't contain any personal or company information. You can view the contents by opening the settings location template files using any XML viewer. The following are ways you can view and remove any personal or company information from the settings location template files before sharing with anyone outside your company: - **Template Author Name** – Specify a general, non-identifying name for the template author name or exclude this data from the template. diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index 47ddb1c82a..0bfc613f89 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -25,7 +25,7 @@ This table provides a description of each SyncMethod configuration: |------------------------------|---------------------| | SyncProvider (Default) | Settings changes for a specific application or for global Windows desktop settings are saved locally to a cache folder. These changes are then synchronized with the settings storage location when a synchronization trigger event takes place. Pushing out changes will save the local changes to the settings storage path.
This default setting is the gold standard for computers. This option attempts to synchronize the setting and times out after a short delay to ensure that the application or operating system startup isn’t delayed for a long period of time.
This functionality is also tied to the Scheduled task – Sync Controller Application. The administrator controls the frequency of the Scheduled task. By default, computers synchronize their settings every 30 min after logging on. | | External | This configuration method specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access. | -| None | This configuration setting is designed for the Virtual Desktop Infrastructure (VDI) and Streamed Application experience primarily. This setting should be used on computers running the Windows Server operating system in a datacenter, where the connection will always be available.
Any settings changes are saved directly to the server. If the network connection to the settings storage path is not available, then the settings changes are cached on the device and are synchronized the next time that the Sync Provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on logoff, then these settings changes are lost, and the user must reapply the change when the computer can again reach the settings storage path.
Apps and OS will wait indefinitely for the location to be present. This could cause App load or OS logon time to dramatically increase if the location is not found. | +| None | This configuration setting is designed for the Virtual Desktop Infrastructure (VDI) and Streamed Application experience primarily. This setting should be used on computers running the Windows Server operating system in a datacenter, where the connection will always be available.
Any settings changes are saved directly to the server. If the network connection to the settings storage path isn't available, then the settings changes are cached on the device and are synchronized the next time that the Sync Provider runs. If the settings storage path isn't found and the user profile is removed from a pooled VDI environment on sign out, then these settings changes are lost, and the user must reapply the change when the computer can again reach the settings storage path.
Apps and OS will wait indefinitely for the location to be present. This waiting period could cause App load or OS sign-in time to dramatically increase if the location isn't found. | You can configure the sync method in these ways: diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index c2a81519f1..56ff1970cc 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -17,14 +17,13 @@ ms.topic: article Microsoft User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. The combination of UE-V and App-V support for Office enables the same experience on virtualized instances of Office from any UE-V-enabled device or virtualized desktop. -To synchronize Office applications settings, you can download Office templates from the [User Experience Virtualization (UE-V) Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). This resource provides Microsoft-authored UE-V settings location templates as well as community-developed settings location templates. - +To synchronize Office applications settings, you can download Office templates from the [User Experience Virtualization (UE-V) Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). This resource provides Microsoft-authored UE-V settings location templates and community-developed settings location templates. ## Microsoft Office support in UE-V UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system. -These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)). +These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience aren't included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)). ## Synchronized Office Settings @@ -45,7 +44,6 @@ Review the following tables for details about Office support in UE-V: ## Deploying Office templates - You can deploy UE-V settings location template with the following methods: - **Registering template with PowerShell**. If you use Windows PowerShell to manage computers, run the following Windows PowerShell command as Administrator to register this settings location template: @@ -56,6 +54,6 @@ You can deploy UE-V settings location template with the following methods: For more information about using UE-V and Windows PowerShell, see [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). -- **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md). +- **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users' computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md). -- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. \ No newline at end of file +- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 59e4e1d213..0396b91e54 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -16,7 +16,7 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -User Experience Virtualization (UE-V) supports Microsoft Application Virtualization (App-V) applications without any required modifications to either the App-V package or the UE-V template. However, an additional step is required because you cannot run the UE-V template generator directly on a virtualized App-V application. Instead, you must install the application locally, generate the template, and then apply the template to the virtualized application. UE-V supports App-V for Windows 10 packages and App-V 5.0 packages. +User Experience Virtualization (UE-V) supports Microsoft Application Virtualization (App-V) applications without any required modifications to either the App-V package or the UE-V template. However, another step is required because you can't run the UE-V template generator directly on a virtualized App-V application. Instead, you must install the application locally, generate the template, and then apply the template to the virtualized application. UE-V supports App-V for Windows 10 packages and App-V 5.0 packages. ## UE-V settings synchronization for App-V applications @@ -26,7 +26,7 @@ UE-V monitors when an application opens by the program name and, optionally, by 1. Run the UE-V template generator to collect the settings of the locally installed application whose settings you want to synchronize between computers. This process creates a settings location template. If you use a built-in template such as a Microsoft Office template, skip this step. For more information about using the UE-V template generator, see [Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md). -2. Install the App-V application package if you have not already done so. +2. Install the App-V application package if you haven't already done so. 3. Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet. diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index 89fb778fef..a0b47df0de 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -10,22 +10,22 @@ ms.author: aaroncz ms.topic: article --- -# What's New in UE-V +# What's new in UE-V **Applies to** - Windows 10, version 1607 -User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. See [UE-V Release notes](uev-release-notes-1607.md) for more information about the UE-V for Windows 10, version 1607 release. +User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. For more information about the UE-V for Windows 10, version 1607 release, see [UE-V Release notes](uev-release-notes-1607.md). -## UE-V is now a feature in Windows 10 +## UE-V is a feature in Windows 10 -With Windows 10, version 1607 and later releases, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack. +With Windows 10, version 1607 and later releases, UE-V is included with Windows Enterprise. It's no longer part of the Microsoft Desktop Optimization Pack. The changes in UE-V for Windows 10, version 1607 impact already existing implementations of UE-V in the following ways: -- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users’ UE-V configurations, and updates the settings storage path. +- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users' UE-V configurations, and updates the settings storage path. -- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work. +- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you'll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work. - The Company Settings Center was removed and is no longer available on user devices. Users can no longer manage their synchronized settings. @@ -33,11 +33,11 @@ The changes in UE-V for Windows 10, version 1607 impact already existing impleme For more information about how to configure an existing UE-V installation after upgrading user devices to Windows 10, see [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md). -> **Important**  You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10. +> **Important**  You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you'll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10. ## New UE-V template generator is available from the Windows 10 ADK -UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). +UE-V for Windows 10 includes a new template generator, available from a new location. If you're upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). ## Company Settings Center removed in UE-V for Windows 10, version 1607 @@ -47,7 +47,8 @@ With the release of Windows 10, version 1607, the Company Settings Center was re Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. -**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: +>[!Note] +>With the removal of the Company Settings Center, the following group policies are no longer applicable: - Contact IT Link Text - Contact IT URL @@ -57,32 +58,33 @@ Administrators can still define which user-customized application settings can s With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined devices only. -In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation. +In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) (ESR) can roam the rest, for example, Windows and desktop settings, themes, colors, and so on, to an Azure cloud installation. To configure UE-V to roam Windows desktop and application data only, change the following group policies: -- Disable “Roam Windows settings” group policy +- Disable "Roam Windows settings" group policy -- Enable “Do not synchronize Windows Apps” group policy +- Enable "Do not synchronize Windows Apps" group policy -For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-options-for-roaming-settings-for-existing-windows-desktop-applications). +For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-roaming-settings-options-for-existing-windows-desktop-applications-). Additionally, to enable Windows 10 and UE-V to work together, configure these policy settings in the Microsoft User Experience Virtualization node: -- Enable “Do Not Synchronize Windows Apps” +- Enable "Do Not Synchronize Windows Apps" -- Disable “Sync Windows Settings” +- Disable "Sync Windows Settings" ## Settings Synchronization Behavior Changed in UE-V for Windows 10 -While earlier versions of UE-V roamed taskbar settings between Windows 10 devices, UE-V for Windows 10, version 1607 does not synchronize taskbar settings between devices running Windows 10 and devices running previous versions of Windows. +While earlier versions of UE-V roamed taskbar settings between Windows 10 devices, UE-V for Windows 10, version 1607 doesn't synchronize taskbar settings between devices running Windows 10 and devices running previous versions of Windows. In addition, UE-V for Windows has removed support for the Windows calculator application. -The Windows modern apps settings (DontSyncWindows8AppSettings) group policy is enabled by default and therefore, modern apps will not roam unless this policy is changed to disabled. +The Windows modern apps settings (DontSyncWindows8AppSettings) group policy is enabled by default and therefore, modern apps won't roam unless this policy is changed to disabled. -Please note, UE-V will roam any AppX apps that use the WinRT settings roaming API, provided that they have been opted in to roam at the time of development by the developer so there is no definitive list. +> [!NOTE] +> UE-V will roam any AppX apps that use the WinRT settings roaming API, if they've been opted in to roam at the time of development by the developer so there is no definitive list. ## Support Added for Roaming Network Printers @@ -96,27 +98,25 @@ Printer roaming in UE-V requires one of these scenarios: - The printer driver can be imported from Windows Update. -> **Note**  The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided. +> [!Note] +> The UE-V printer roaming feature doesn't roam printer settings or preferences, such as printing double-sided. ## Office 2016 Settings Location Template -UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. We’ve added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings. +UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. We've added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings. -> **Note**  An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization. +> [!Note] +> An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization. -UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 365. If settings are roamed by Office 365, they are not roamed by UE-V. See [Overview of user and roaming settings for Microsoft Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)) for more information. +UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 365. If settings are roamed by Office 365, they aren't roamed by UE-V. For more information, see [Overview of user and roaming settings for Microsoft Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)). -To enable settings synchronization using UE-V, do one of the following: +To enable settings synchronization using UE-V, do one of the following steps: - Use Group Policy to disable Office 365 synchronization -- Do not enable the Office 365 synchronization experience during Office 2013 installation - -UE-V includes Office 2016, Office 2013, and Office 2010 templates. Office 2007 templates are no longer supported. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get templates from the [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). - - - +- Don't enable the Office 365 synchronization experience during Office 2013 installation +UE-V includes Office 2016, Office 2013, and Office 2010 templates. ## Related topics diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index d0f06bd548..f857c6ac20 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -1,6 +1,6 @@ --- title: Working with Custom UE-V Templates and the UE-V Template Generator -description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. +description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: aczechowski ms.prod: w10 ms.date: 04/19/2017 @@ -14,11 +14,11 @@ ms.topic: article # Working with custom UE-V templates and the UE-V template generator **Applies to** -- Windows 10, version 1607 +- Windows 10 -User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator. You can also edit or validate custom settings location templates with the UE-V template generator. +User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those settings included in the default templates, you can create your own custom settings location templates with the UE-V template generator. You can also edit or validate custom settings location templates with the UE-V template generator. -Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator does not create settings location templates for the following types of applications: +Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator doesn't create settings location templates for the following types of applications: - Virtualized applications - Applications that are offered through Terminal Services @@ -33,13 +33,13 @@ Discovered settings are grouped into two categories: **Standard** and **Non-stan The UE-V template generator opens the application as part of the discovery process. The generator can capture settings in the following locations: -- **Registry Settings** – Registry locations under **HKEY\_CURRENT\_USER** +- **Registry Settings** - Registry locations under **HKEY\_CURRENT\_USER** -- **Application Settings Files** – Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming** +- **Application Settings Files** - Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming** -The UE-V template generator excludes locations, which commonly store application software files, but do not synchronize well between user computers or environments. The UE-V template generator excludes these locations. Excluded locations are as follows: +The UE-V template generator excludes locations, which commonly store application software files, but don't synchronize well between user computers or environments. The UE-V template generator excludes these locations. Excluded locations are as follows: -- HKEY\_CURRENT\_USER registry keys and files to which the logged-on user cannot write values +- HKEY\_CURRENT\_USER registry keys and files to which the logged-on user can't write values - HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system @@ -57,7 +57,7 @@ If registry keys and files that are stored in these locations are required to sy Use the UE-V template generator to edit settings location templates. When the revised settings are added to the templates with the UE-V template generator, the version information within the template is automatically updated to ensure that any existing templates that are deployed in the enterprise are updated correctly. -**To edit a UE-V settings location template with the UE-V template generator** +### To edit a UE-V settings location template with the UE-V template generator 1. Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator. @@ -91,7 +91,7 @@ Use the UE-V template generator to edit settings location templates. When the re After you edit the settings location template for an application, you should test the template. Deploy the revised settings location template in a lab environment before you put it into production in the enterprise. -**How to manually edit a settings location template** +### How to manually edit a settings location template 1. Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values. @@ -108,14 +108,13 @@ Use the UE-V template generator to edit settings location templates. When the re 6. Validate the modified settings location template file by using the UE-V template generator. -7. You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users’ computers should then update as scheduled in the scheduled task. +7. You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users' computers should then update as scheduled in the scheduled task. ## Validate settings location templates with the UE-V template generator +It's possible to create or edit settings location templates in an XML editor without using the UE-V template generator. If you do, you can use the UE-V template generator to validate that the new or revised XML matches the schema that has been defined for the template. -It is possible to create or edit settings location templates in an XML editor without using the UE-V template generator. If you do, you can use the UE-V template generator to validate that the new or revised XML matches the schema that has been defined for the template. - -**To validate a UE-V settings location template with the UE-V template generator** +To validate a UE-V settings location template with the UE-V template generator: 1. Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator. @@ -129,35 +128,23 @@ It is possible to create or edit settings location templates in an XML editor wi After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise. +## Next steps + ## Share settings location templates with the Template Gallery The [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V) enables administrators to share their UE-V settings location templates. Upload your settings location templates to the gallery for other users to use, and download templates that other users have created. -Before you share a settings location template on the UE-V template gallery, ensure it does not contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company. +Before you share a settings location template on the UE-V template gallery, ensure it doesn't contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company. - Template Author Name – Specify a general, non-identifying name for the template author name or exclude this data from the template. - Template Author Email – Specify a general, non-identifying template author email or exclude this data from the template. -Before you deploy any settings location template that you have downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment. - - - - +Before you deploy any settings location template that you've downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment. ## Related topics - [Administering UE-V](uev-administering-uev.md) [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md) - - - - - - - - - diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 94e31def8a..0186f5e66f 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -43,8 +43,8 @@ Specifies the settings you can configure when joining a device to a domain, incl | Account | String | Account to use to join computer to domain | | AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account | | ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, including `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10 version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) | -| DomainName | String (cannot be empty) | Specify the name of the domain that the device will join | -| Password | String (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | +| DomainName | String (can't be empty) | Specify the name of the domain that the device will join | +| Password | String (can't be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | ## Users @@ -52,7 +52,7 @@ Use these settings to add local user accounts to the device. | Setting | Value | Description | | --- | --- | --- | -| UserName | String (cannot be empty) | Specify a name for the local user account | -| HomeDir | String (cannot be empty) | Specify the path of the home directory for the user | -| Password | String (cannot be empty) | Specify the password for the user account | -| UserGroup | String (cannot be empty) | Specify the local user group for the user | +| UserName | String (can't be empty) | Specify a name for the local user account | +| HomeDir | String (can't be empty) | Specify the path of the home directory for the user | +| Password | String (can't be empty) | Specify the password for the user account | +| UserGroup | String (can't be empty) | Specify the local user group for the user | diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 5ebc1cccde..df8f60051d 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -36,7 +36,7 @@ Select between **Prevent Pre-launching** and **Allow Pre-launching**. Use to add items to the Favorites Bar in Microsoft Edge. -1. Enter a name for the item, and select **Add**. (The name you enter here is only used to distinguish the group of settings, and is not shown on the device when the settings are applied.) +1. Enter a name for the item, and select **Add**. (The name you enter here's only used to distinguish the group of settings, and isn't shown on the device when the settings are applied.) 2. In **Available customizations**, select the item that you added, and then configure the following settings for that item: Setting | Description @@ -53,7 +53,7 @@ To add a new item under the browser's **Favorites** list: 1. In the **Name** field, enter a friendly name for the item, and then click **Add**. -2. In the **Available customizations** pane, select the friendly name that you just created, and in the text field, enter the URL for the item. +2. In the **Available customizations** pane, select the friendly name that you created, and in the text field, enter the URL for the item. For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "" for the URL. @@ -65,18 +65,18 @@ For example, to include the corporate Web site to the list of browser favorites, Set the value to a character string that corresponds to the OEM's Partner Search Code. This identification code must match the one assigned to you by Microsoft. -OEMs who are part of the program only have one PartnerSearchCode and this should be used for all Windows 10 for desktop editions images. +OEMs who are part of the program only have one PartnerSearchCode which should be used for all Windows 10 for desktop editions images. ## SearchProviders -Contains the settings you can use to configure the default and additional search providers. +Contains the settings you can use to configure the default and other search providers. ### Default -Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this will default to Microsoft Bing. +Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this search provider will default to Microsoft Bing. #### Specific region guidance @@ -89,13 +89,13 @@ Some countries require specific, default search providers. The following table l ### SearchProviderList -Use to specify a list of additional search providers. +Use to specify a list of extra search providers. 1. In the **Name** field, enter a name for the item, and then click **Add**. -2. In the **Available customizations** pane, select the name that you just created, and in the text field, enter the URL for the additional search provider. +2. In the **Available customizations** pane, select the name that you created, and in the text field, enter the URL for the other search provider. For example, to specify Yandex in Russia and Commonwealth of Independent States (CIS), set the value of URL to "https://yandex.ru/search/touch/?text={searchTerm}&clid=2234144". -When configured with multiple search providers, the browser can display up to ten search providers. +When configured with multiple search providers, the browser can display up to 10 search providers. diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index 615458a1b5..f2f39286c3 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -13,12 +13,12 @@ manager: dougeby # CellCore (Windows Configuration Designer reference) -Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore is not available in Windows 10, version 1809. +>Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore isn't available in Windows 10, version 1809. Use to configure settings for cellular data. >[!IMPORTANT] ->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise. +>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and aren't intended for use by administrators in the enterprise. ## Applies to |Setting groups | Windows client | Surface Hub | HoloLens | IoT Core| @@ -47,12 +47,12 @@ Use to configure settings for cellular data. ### CellConfigurations 1. In **CellConfiguration** > **PropertyGroups**, enter a name for the property group. -2. Select the **PropertyGroups** you just created in the **Available customizations** pane and then enter a **PropertyName**. -3. Select the **PropertyName** you just created in the **Available customizations** pane, and then select one of the following data types for the property: - - Binary - - Boolean - - Integer - - String +2. Select the **PropertyGroups** you created in the **Available customizations** pane and then enter a **PropertyName**. +3. Select the **PropertyName** you created in the **Available customizations** pane, and then select one of the following data types for the property: + - Binary + - Boolean + - Integer + - String 4. The data type that you selected is added in **Available customizations**. Select it to enter a value for the property. ### CellData @@ -121,11 +121,11 @@ Use to configure settings for cellular data. ### CGDual -Use **CGDual** > **RestrictToGlobalMode** to configure settings for global mode on C+G Dual SIM phones. When the device registration changes, if the value for this setting is set, the OS changes the preferred system type to the default preferred system type for world mode. If the phone is not camped on any network, the OS assumes the phone is on the home network and changes the network registration preference to default mode. +Use **CGDual** > **RestrictToGlobalMode** to configure settings for global mode on C+G Dual SIM phones. When the device registration changes, if the value for this setting is set, the OS changes the preferred system type to the default preferred system type for world mode. If the phone isn't camped on any network, the OS assumes the phone is on the home network and changes the network registration preference to default mode. -Select from the following: +Select from the following modes: -- RestrictToGlobalMode_Disabled: the phone is not restricted to global mode. +- RestrictToGlobalMode_Disabled: the phone isn't restricted to global mode. - RestrictToGlobalMobe_Home: when a slot is registered at home and supports global mode, the mode selection is restricted to global mode. - RestrictToGlobalMode_Always: if a slot supports global mode and this value is selected, the mode selection is restricted to global mode. @@ -205,7 +205,7 @@ Configure **FwUpdate** > **AllowedAppIdList** to list apps that are allowed to u |:--|:--| |AckExpirySeconds |Set the value, in seconds, for how long to wait for a client ACK before trying to deliver. | |DefaultMCC |Set the default mobile country code (MCC).| -|Encodings > GSM7BitEncodingPage |Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)| +|Encodings > GSM7BitEncodingPage |Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)
- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)
- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)
- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)| |Encodings > GSM8BitEncodingPage|Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. | |Encodings > OctetEncodingPage |Set the octet (binary) encoding.| |Encodings > SendUDHNLSS |Set the 7 bit GSM shift table encoding.| @@ -229,8 +229,9 @@ Configure **FwUpdate** > **AllowedAppIdList** to list apps that are allowed to u Setting | Description |:-|:--| -|SIM1ToUIM1 |Used to show UIM1 as an alternate string instead of SIM1 for the first SIM on C+G dual SIM phones.| -|SIMToSIMUIM |Partners can change the string "SIM" to "SIM/UIM" to accommodate scenarios such as Dual Mode cards of SIM cards on the phone. This can provide a better user experience for users in some markets. Enabling this customization changes all "SIM" strings to "SIM/UIM".| +SIM1ToUIM1 | Used to show UIM1 as an alternate string instead of SIM1 for the first SIM on C+G dual SIM phones. +SIMToSIMUIM | Partners can change the string "SIM" to "SIM/UIM" to accommodate scenarios such as Dual Mode cards of SIM cards on the phone. This scenario can provide a better experience for users in some markets. Enabling this customization changes all "SIM" strings to "SIM/UIM". + ### UTK @@ -242,6 +243,7 @@ Setting | Description ## PerIMSI Enter an IMSI, click **Add**, and then select the IMSI that you added to configure the following settings. + ### CellData |Setting |Description| @@ -385,7 +387,9 @@ See descriptions in Windows Configuration Designer. |3 (The SIM card fails authentication or one of the identity check procedures. This can also happen due to a duplication of the TMSI across different MSCs.) |Can't verify SIM MM#3 |Invalid SIM| |6 (The device has been put on a block list, such as when the phone has been stolen or the IMEI is restricted.) | Phone not allowed MM#6 | No service| -## Values for MultivariantProvisionedSPN + + +## Values for MultivariantProvisionedSPN Set the MultivariantProvisionedSPN value to the name of the SPN or mobile operator. @@ -394,17 +398,17 @@ The following table shows the scenarios supported by this customization. >[!NOTE] >In the Default SIM name column: > ->- The " " in MultivariantProvisionedSPN" "1234 means that there is a space between the mobile operator name or SPN and the last 4 digits of the MSISDN. +>- The " " in MultivariantProvisionedSPN" "1234 means that there's a space between the mobile operator name or SPN and the last 4 digits of the MSISDN. >- MultivariantProvisionedSPN means the value that you set for the MultivariantProvisionedSPN setting. >- SIM 1 or SIM 2 is the default friendly name for the SIM in slot 1 or slot 2. -|Multivariant setting set?|SPN provisioned?|MSISDN (last 4 digits: 1234, for example) provisioned?|Default SIM name| -|:---|:---|:---|:---| -|Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234| -|Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters)| -|Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters)| -|Yes|No|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234| -|No|Yes|Yes|If SPN string >= 12: *SPN*1234

If SPN string < 12: *SPN*" "1234| -|No|No|No|*SIM 1* or *SIM 2*| -|No|Yes|No|SPN (up to 16 characters)| -|No|No|Yes|*SIM 1* or *SIM 2*| +Multivariant setting set?|SPN provisioned?|MSISDN (last four digits: 1234, for example) provisioned?|Default SIM name +--- | --- | --- | --- +Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234 +Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters) +Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters) +Yes|No|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234 +No|Yes|Yes|If SPN string >= 12: *SPN*1234

If SPN string < 12: *SPN*" "1234 +No|No|No|*SIM 1* or *SIM 2* +No|Yes|No|SPN (up to 16 characters) +No|No|Yes|*SIM 1* or *SIM 2* diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index a83e01ed1d..02b779a5db 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -19,7 +19,7 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo - In [ClientCertificates](#clientcertificates), you specify a certificate that will be added to the Personal store on the target device, and provide (password, keylocation), (and configure whether the certificate can be exported). - In [RootCertificates](#rootcertificates), you specify a certificate that will be added to the Trusted Root CA store on the target device. - In [TrustedPeopleCertificates](#trustedpeoplecertificates), you specify a certificate that will be added to the Trusted People store on the target device. -- In [TrustedProvisioners](#trustedprovisioners), you specify a certificate which allows devices to automatically trust packages from the specified publisher. +- In [TrustedProvisioners](#trustedprovisioners), you specify a certificate that allows devices to automatically trust packages from the specified publisher. ## Applies to @@ -31,14 +31,14 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo ## CACertificates 1. In **Available customizations**, select **CACertificates**, enter a friendly name for the certificate, and then click **Add**. -2. In **Available customizations**, select the name that you just created. +2. In **Available customizations**, select the name that you created. 3. In **CertificatePath**, browse to or enter the path to the certificate. ## ClientCertificates 1. In **Available customizations**, select **ClientCertificates**, enter a friendly name for the certificate, and then click **Add**. -2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required. +2. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required. | Setting | Value | Description | | --- | --- | ---- | @@ -50,20 +50,20 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo ## RootCertificates 1. In **Available customizations**, select **RootCertificates**, enter a friendly name for the certificate, and then click **Add**. -2. In **Available customizations**, select the name that you just created. +2. In **Available customizations**, select the name that you created. 3. In **CertificatePath**, browse to or enter the path to the certificate. ## TrustedPeopleCertificates 1. In **Available customizations**, select **TrustedPeopleCertificates**, enter a friendly name for the certificate, and then click **Add**. -2. In **Available customizations**, select the name that you just created. +2. In **Available customizations**, select the name that you created. 3. In **TrustedCertificate**, browse to or enter the path to the certificate. ## TrustedProvisioners 1. In **Available customizations**, select **TrustedPprovisioners**, enter a CertificateHash, and then click **Add**. -2. In **Available customizations**, select the name that you just created. +2. In **Available customizations**, select the name that you created. 3. In **TrustedProvisioner**, browse to or enter the path to the certificate. ## Related topics diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index 24465ae5a5..4468f64eee 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -24,7 +24,7 @@ Use to configure settings related to various types of phone connections. For each setting group: 1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**. -2. In **Available customizations**, select the name that you just created. +2. In **Available customizations**, select the name that you created. ## Cellular diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 307aab14ca..21f4e49131 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -31,7 +31,7 @@ Use to configure profiles that a user will connect with, such as an email accoun Specify an email account to be automatically set up on the device. 1. In **Available customizations**, select **Email**, enter a friendly name for the account, and then click **Add**. -2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure for each account. Settings in **bold** are required. +2. In **Available customizations**, select the name that you created. The following table describes the settings you can configure for each account. Settings in **bold** are required. | Setting | Description | | --- | --- | @@ -61,7 +61,7 @@ Configure settings related to Exchange email server. These settings are related 1. In **Available customizations**, select **Exchange**, enter a name for the account, and then click **Add**. A globally unique identifier (GUID) is generated for the account. -2. In **Available customizations**, select the GUID that you just created. The following table describes the settings you can configure. Settings in **bold** are required. +2. In **Available customizations**, select the GUID that you created. The following table describes the settings you can configure. Settings in **bold** are required. | Setting | Description | | --- | --- | @@ -88,7 +88,7 @@ Configure settings related to Exchange email server. These settings are related ## KnownAccounts -Configure the settings to add additional email accounts. +Configure the settings to add more email accounts. | Setting | Description | | --- | --- | @@ -110,7 +110,7 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu)) ### VPN 1. In **Available customizations**, select **VPNSetting**, enter a friendly name for the account, and then click **Add**. -2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required. +2. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required. | Setting | Description | | --- | --- | @@ -118,14 +118,14 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu)) | AlwaysOn | Set to **True** to automatically connect the VPN at sign-in | | ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi network as the VPN client can bypass VPN | | DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is used as the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. | -| LockDown | When set to **True**:
- Profile automatically becomes an "always on" profile
- VPN cannot be disconnected
-If the profile is not connected, the user has no network connectivity
- No other profiles can be connected or modified | +| LockDown | When set to **True**:
- Profile automatically becomes an "always on" profile
- VPN can't be disconnected
-If the profile isn't connected, the user has no network connectivity
- No other profiles can be connected or modified | | Proxy | Configure to **Automatic** or **Manual** | | ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings | | ProxyServer | When **Proxy** is set to **Manual**, enter the proxy server address as a fully qualified hostname or enter `IP address:Port` | | RememberCredentials | Select whether credentials should be cached | -| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | +| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | -When **ProfileType** is set to **Native**, the following additional settings are available. +When **ProfileType** is set to **Native**, the following extra settings are available. Setting | Description --- | --- @@ -135,11 +135,11 @@ NativeProtocolType | Choose between **PPTP**, **L2TP**, **IKEv2**, and **Automat RoutingPolicyType | Choose between **SplitTunnel**, in which traffic can go over any interface as determined by the networking stack, and **ForceTunnel**, in which all IP traffic must go over the VPN interface. Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. -When **ProfileType** is set to **Third Party**, the following additional settings are available. +When **ProfileType** is set to **Third Party**, the following extra settings are available. Setting | Description --- |--- -PluginProfileCustomConfiguration | Enter HTML-encoded XML for SSL-VPN plug-in specific configuration, including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plug-in provider for format and other details. Most plug-ins can also configure values based on the server negotiations as well as defaults. +PluginProfileCustomConfiguration | Enter HTML-encoded XML for SSL-VPN plug-in specific configuration, including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plug-in provider for format and other details. Most plug-ins can also configure values based on the server negotiations and defaults. PluginProfilePackageFamilyName | Choose between **Pulse Secure VPN**, **F5 VPN Client**, and **SonicWALL Mobile Connect**. PluginProfileServerUrlList | Enter a comma-separated list of servers in URL, hostname, or IP format. @@ -173,7 +173,7 @@ You can use these settings to configure system capabilities for Wi-Fi adapters, | --- | --- | | CoexistenceSupport | Specify the type of co-existence that's supported on the device:

- **Both**: Both Wi-Fi and Bluetooth work at the same performance level during co-existence
- **Wi-Fi reduced**: On a 2X2 system, Wi-Fi performance is reduced to 1X1 level
- **Bluetooth centered**: When co-existing, Bluetooth has priority and restricts Wi-Fi performance
- **One**: Either Wi-Fi or Bluetooth will stop working | | NumAntennaConnected | Enter the number of antennas that are connected to the WLAN radio | -| SimultaneousMultiChannelSupported | Enter the maximum number of channels that the Wi-Fi device can simultaneously operate on. For example, you can use this to specify support for Station mode and Wi-Fi Direct GO on separate channels simultaneously. | +| SimultaneousMultiChannelSupported | Enter the maximum number of channels that the Wi-Fi device can simultaneously operate on. For example, you can use this setting to specify support for Station mode and Wi-Fi Direct GO on separate channels simultaneously. | | WLANFunctionLevelDeviceResetSupported | Select whether the device supports functional level device reset (FLDR). The FLDR feature in the OS checks this system capability exclusively to determine if it can run. | | WLANPlatformLevelDeviceResetSupported | Select whether the device supports platform level device reset (PLDR). The PLDR feature in the OS checks this system capability exclusively to determine if it can run. | @@ -192,7 +192,7 @@ Configure settings for wireless connectivity. ### WLANXmlSettings -Enter a SSID, click **Add**, and then configure the following settings for the SSID. +Enter an SSID, click **Add**, and then configure the following settings for the SSID. | Settings | Description | | --- | --- | diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index 6a101c9fd1..a643a6b0f5 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -34,7 +34,7 @@ Select the appropriate form from the dropdown menu. | --- | --- | | Phone | A typical smartphone combines cellular connectivity, a touch screen, rechargeable power source, and other components into a single chassis. | | LargeScreen | Microsoft Surface Hub | -| HMD | (Head-mounted display) A holographic computer that is completely untethered - no wires, phones, or connection to a PC needed. | +| HMD | (Head-mounted display) A holographic computer that is untethered - no wires, phones, or connection to a PC needed. | | IndustryHandheld | A device screen less than 7” diagonal designed for industrial solutions. May or may not have a cellular stack. | | IndustryTablet | A device with an integrated screen greater than 7” diagonal and no attached keyboard designed for industrial solutions as opposed to consumer personal computer. May or may not have a cellular stack. | | Banking | A machine at a bank branch or another location that enables customers to perform basic banking activities including withdrawing money and checking one's bank balance. | @@ -54,10 +54,10 @@ Select the appropriate form from the dropdown menu. | Toy | A device used solely for enjoyment or entertainment. | | Vending | A machine that dispenses items in exchange for payment in the form of coin, currency, or credit/debit card. | | IndustryOther |A device that doesn't fit into any of the previous categories. | -| Desktop | A desktop PC form factor traditional comes in an upright tower or small desktop chassis and does not have an integrated screen. | -| Notebook | A notebook is a portable clamshell device with an attached keyboard that cannot be removed. | -| Convertible | A convertible device is an evolution of the traditional notebook where the keyboard can be swiveled, rotated or flipped, but not completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. | -| Detachable | A detachable device is an evolution of the traditional notebook where the keyboard can be completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. | +| Desktop | A desktop PC form factor traditional comes in an upright tower or small desktop chassis and doesn't have an integrated screen. | +| Notebook | A notebook is a portable clamshell device with an attached keyboard that can't be removed. | +| Convertible | A convertible device is an evolution of the traditional notebook where the keyboard can be swiveled, rotated or flipped, but not completely removed. It's a blend between a traditional notebook and tablet, also called a 2-in-1. | +| Detachable | A detachable device is an evolution of the traditional notebook where the keyboard can be removed. It's a blend between a traditional notebook and tablet, also called a 2-in-1. | | AIO | An All-in-One (AIO) device is an evolution of the traditional desktop with an attached display. | | Stick | A device that turns your TV into a Windows computer. Plug the stick into the HDMI slot on the TV and connect a USB or Bluetooth keyboard or mouse. | | Puck | A small-size PC that users can use to plug in a monitor and keyboard. | diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index a5bb59742b..0eba4cd0e2 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -27,7 +27,7 @@ Use to configure device management settings. ## Accounts 1. In **Available customizations**, select **Accounts**, enter a friendly name for the account, and then click **Add**. -2. In **Available customizations**, select the account that you just created. The following table describes the settings you can configure. Settings in **bold** are required. +2. In **Available customizations**, select the account that you created. The following table describes the settings you can configure. Settings in **bold** are required. | Setting | Description | | --- | --- | @@ -58,14 +58,14 @@ Use to configure device management settings. ## PGList 1. In **Available customizations**, select **PGList**, enter a LogicalProxyName, and then click **Add**. -2. In **Available customizations**, select the LogicalProxyName that you just created, and then select **PhysicalProxies**. +2. In **Available customizations**, select the LogicalProxyName that you created, and then select **PhysicalProxies**. 3. Enter a PhysicalProxyName, and then click **Add**. The following table describes the settings you can configure for the physical proxy and for **Trust**. | Setting | Description | | --- | --- | | Address | Enter the address of the physical proxy | | AddressType | Select between **E164**, **IPV4**, and **IPV^** for the format and protocol of the PXADDR element for a physical proxy | -| MatchedNapID | Enter a string that defines the SMS bearer. This string must match the NAPID exactly. The value must contains MVID macro if it is an IPv4 PXADDRTYPE. | +| MatchedNapID | Enter a string that defines the SMS bearer. This string must match the NAPID exactly. The value must contain MVID macro if it's an IPv4 PXADDRTYPE. | | PushEnabled | Select whether push operations are enabled | | Trust | Specify whether or not the physical proxies in this logical proxy are privileged | diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 025c70a9b5..2f607deb18 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -1,5 +1,5 @@ --- -title: FirstExperience (Windows 10) +title: FirstExperience description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 author: aczechowski @@ -13,18 +13,18 @@ manager: dougeby # FirstExperience (Windows Configuration Designer reference) -Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens. +Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens. ## Applies to -| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | +| All settings | | | X | | -Setting | Description ---- | --- -PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region. -PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11)) -SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. -SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. -SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.

**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). +| Setting | Description | +| --- | --- | +| PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region. | +| PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11)) | +| SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. | +| SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. | +| SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.

**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens2-start). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). | diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index 20e53f7d72..4d50550dee 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -27,18 +27,18 @@ Automatically detect network proxy settings. | Value | Description | | --- | --- | -| 0 | Disabled. Do not automatically detect settings. | +| 0 | Disabled. Don't automatically detect settings. | | 1 | Enabled. Automatically detect settings. | ## ProxyServer -Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. +Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings don't apply to VPN connections. | Setting | Description | | --- | --- | | ProxyAddress | Address to the proxy server. Specify an address in the format `server:port`. | -| ProxyExceptions | Addresses that should not use the proxy server. The system will not use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. | -| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.

- 0 = Disabled. Do not use the proxy server for local addresses.
- 1 = Enabled. Use the proxy server for local addresses. | +| ProxyExceptions | Addresses that shouldn't use the proxy server. The system won't use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. | +| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.

- 0 = Disabled. Don't use the proxy server for local addresses.
- 1 = Enabled. Use the proxy server for local addresses. | ## SetupScriptUrl diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index fddfc8e061..59377ff9bc 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -46,10 +46,10 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | | | ✔️ | | [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | | | ✔️ | | [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | ✔️ | | | | +| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting are allowed | ✔️ | | | | | [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | | | | | [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | | -| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | | | | +| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allowlist, disallow list, etc. | | | | | | [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | | | [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | | | ✔️ | | [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | | | ✔️ | @@ -63,7 +63,7 @@ This section describes the **Policies** settings that you can configure in [prov | --- | --- | :---: | :---: | :---: | :---: | | [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ | | [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | | ✔️ | -| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | | ✔️ | +| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows sign-in support for non-ADFS federated providers (for example, SAML). | ✔️ | ✔️ | | ✔️ | | [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | | ✔️ | @@ -95,7 +95,7 @@ This section describes the **Policies** settings that you can configure in [prov [AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | | | | | [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | | ✔️ | | [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | | -| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do not Track headers are allowed. | ✔️ | ✔️ | | ✔️ | | [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | | | [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | | | [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | | @@ -115,18 +115,18 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | | ✔️ | [AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | | | | | [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | | -| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ | +| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to five more search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ | | [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | | -| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | | +| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it's selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | | | [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | | | [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | | | [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | | | [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | | | [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | | -[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | | +[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send more diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | | | [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | | | [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | | -| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | | | | +| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it's opened for the first time. | ✔️ | | | | | [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | | [LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | | | | | [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | | ✔️ | @@ -136,9 +136,9 @@ This section describes the **Policies** settings that you can configure in [prov | [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | | ✔️ | | [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | | ✔️ | PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | | -| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | | +| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users can't turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | | | [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | | ✔️ | -[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | | | | +[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites that will appear for employees. | ✔️ | | | | | [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | | | [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | | ✔️ | | [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | | @@ -175,7 +175,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | -[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | | +[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy doesn't actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered, the devices are for ready for use by information workers or students. | ✔️ | | | | ## Cryptography @@ -205,7 +205,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | | | [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✔️ | | | | | [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | | -| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | | +| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself isn't excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | | | [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | | | [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | | | [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | | @@ -280,7 +280,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | -| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | | | | +| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste are allowed. | | | | | | [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | | | [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | | | [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | | | | @@ -319,13 +319,13 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | -|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | -|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | | +|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This setting is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | +|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This setting is used to configure blocked URLs kiosk browsers can't navigate to. | ✔️ | | | | |[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | | |[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | | |[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | | |[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | | -|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | | +|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. | ✔️ | | | | To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: @@ -334,7 +334,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in 3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). 4. Save the XML file. 5. Open the project again in Windows Configuration Designer. -6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. +6. Export the package. Ensure you don't revisit the created policies under Kiosk Browser or else the null character will be removed. ## LocalPoliciesSecurityOptions @@ -348,7 +348,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | -| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | +| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Don't use. | | | | | ## Power @@ -374,8 +374,8 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | | | [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | | | [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | | -| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | | -| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | | +| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user isn't present while on battery. | ✔️ | | | | +| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user isn't present while plugged in. | ✔️ | | | | ## Privacy @@ -390,11 +390,11 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | [AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | | -[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | +[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This setting specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | | [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | | | [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | | ✔️ | | | [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | | | | -| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

- **Off** setting disables Windows indexer
- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
- **Enterprise** setting reduces potential network loads for enterprises
- **Standard** setting is appropriate for consumers | ✔️ | | | | +| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To provide these features, it requires access to the file system and app data stores such as Outlook OST files.

- **Off** setting disables Windows indexer
- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
- **Enterprise** setting reduces potential network loads for enterprises
- **Standard** setting is appropriate for consumers | ✔️ | | | | | [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | | | | | [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | | | | | [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | | | | @@ -424,7 +424,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | | | | | [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | | | | | [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✔️ | | -| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | | +| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing other calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | | [PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | | ## Start @@ -448,7 +448,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | | | [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | | | [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | | -| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | | +| HidePeopleBar | Remove the people icon from the taskbar, and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | | | [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | | | [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | | | [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | | @@ -478,7 +478,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | | | | | DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | | | | | [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | | -| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | | +| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | | ## TextInput @@ -486,7 +486,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | | [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | | -| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | | +| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that don't exist in the device's local dictionary. | ✔️ | | | | | [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | | | [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | | | [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | | @@ -494,7 +494,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | | | [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | | | [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | | -| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | +| AllowUserInputsFromMiracastRecevier | Don't use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | @@ -511,9 +511,9 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | |---------|-------------|:--------------:|:-----------:|:--------:|:--------:| -| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ | +| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots aren't scheduled. | ✔️ | ✔️ | | ✔️ | | [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ | -| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ | +| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots aren't scheduled. | ✔️ | ✔️ | | ✔️ | | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ | | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ | | [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | @@ -529,7 +529,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ | | [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ | | [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ | -| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ | +| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Don't allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ | | [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ | | [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ | | [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ | @@ -537,7 +537,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ | | [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ | | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ | -| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ | +| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it's missing from the metadata. | ✔️ | ✔️ | | ✔️ | | ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ | | PhoneUpdateRestrictions | Deprecated | | ✔️ | | | | [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ | diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index 4d3996dcfd..5e2b059925 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -29,8 +29,8 @@ Use SurfaceHubManagement settings to set the administrator group that will manag ## GroupName -Enter the group name for the administrators group in Active Directory. +Enter the group name for the administrators' group in Active Directory. ## GroupSid -Enter the SID or the administrators group in Active Directory. +Enter the SID or the administrators' group in Active Directory. diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 3f9a6310d2..6bd9df7cb4 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -1,14 +1,14 @@ --- title: Windows 10 accessibility information for IT Pros (Windows 10) -description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them +description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: w10 -ms.author: aaroncz -author: aczechowski +ms.author: lizlong +author: lizgt2000 ms.localizationpriority: medium ms.date: 01/12/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: reference --- @@ -19,7 +19,7 @@ This topic helps IT administrators learn about built-in accessibility features, ## General recommendations - **Be aware of Ease of Access settings** – Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10. - **Do not block settings** – Avoid using Group Policy or MDM settings that override Ease of Access settings. -- **Encourage choice** – Allow people in your organization to customize their computers based on their needs. That might mean installing an add-on for their browser, or a non-Microsoft assistive technology. +- **Encourage choice** – Allow people in your organization to customize their computers based on their needs. That customization might mean installing an add-on for their browser, or a non-Microsoft assistive technology. ## Vision @@ -28,12 +28,12 @@ This topic helps IT administrators learn about built-in accessibility features, | [Use Narrator to use devices without a screen](https://support.microsoft.com/help/22798/windows-10-narrator-get-started) | Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices.| | [Create accessible apps](https://developer.microsoft.com/windows/accessible-apps) | You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.| | Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/help/22806), and [Magnifier](https://support.microsoft.com/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.| -| Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers a variety of configuration settings.| +| Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers various configuration settings.| | [Cursor and pointer adjustments](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.| -| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle a variety of tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.| +| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.| | [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.| | [Customize the size](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) of screen items | You can adjust the size of text, icons, and other screen items to make them easier to see.| -| [Improve contrast](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | A number of high-contrast themes are available to suit your needs.| +| [Improve contrast](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Many high-contrast themes are available to suit your needs.| | [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.| | [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.| | [Read in Braille](https://support.microsoft.com/help/4004263) | Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.| @@ -43,19 +43,19 @@ This topic helps IT administrators learn about built-in accessibility features, | Accessibility feature | Description | |---------------------------|------------| | [Transcribe with Translator](https://www.skype.com/en/features/skype-translator) | Translator can transcribe voice to text so you won’t miss what’s being said. | -| [Use Skype for sign language](https://www.skype.com/en/) | Skype is available on a variety of platforms and devices, so you don’t have to worry about whether your co-workers, friends and family can communicate with you.| +| [Use Skype for sign language](https://www.skype.com/en/) | Skype is available on various platforms and devices, so you don’t have to worry about whether your co-workers, friends and family can communicate with you.| | [Get visual notifications for sounds](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | You can replace audible alerts with visual alerts.| | [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear)|If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.| | [Read spoken words with closed captioning](https://support.microsoft.com/help/21055/windows-10-closed-caption-settings) | You can customize things like color, size, and background transparency to suit your needs and tastes.| -| [Switch to mono audio](https://support.microsoft.com/help/27933/) | Sending all sounds to both left and right channels is helpful for those with partial hearing loss or deafness in one ear.| +| [Switch to mono audio](https://support.microsoft.com/help/27933/) | Sending all sounds to both left and right channels is helpful for those people with partial hearing loss or deafness in one ear.| ## Physical | Accessibility feature | Description| |---------------------------|------------| -| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle a variety of tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.| +| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.| | [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.| -| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or othet pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).| +| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).| | [Live Tiles](https://support.microsoft.com/help/17176/windows-10-organize-your-apps)| Because Live Tiles display constantly updated information for many apps, you don't have to bother actually opening them. You can arrange, resize, and move tiles as needed.| | [Keyboard assistance features](https://support.microsoft.com/help/27936)| You can personalize your keyboard to ignore repeated keys and do other helpful things if you have limited control of your hands.| | [Mouse Keys](https://support.microsoft.com/help/27936)|If a mouse is difficult to use, you can control the pointer by using your numeric keypad.| @@ -65,7 +65,7 @@ This topic helps IT administrators learn about built-in accessibility features, | Accessibility feature | Description| |---------------------------|------------| | [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.| -| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or othet pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).| +| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).| | [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.| | [Use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721) | Fluent Sitka Small and Fluent Calibri are fonts that address "visual crowding" by adding character and enhance word and line spacing. | | [Edge Reading View](https://support.microsoft.com/help/17204/windows-10-take-your-reading-with-you) | Clears distracting content from web pages so you can stay focused on what you really want to read. | @@ -80,7 +80,7 @@ This topic helps IT administrators learn about built-in accessibility features, | [Use Speech Recognition]( https://support.microsoft.com/help/17208 ) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.| | [Save time with keyboard shortcuts]( https://support.microsoft.com/help/17189) | Keyboard shortcuts for apps and desktops.| -## Additional resources +## Other resources [Windows accessibility](https://www.microsoft.com/Accessibility/windows) [Designing accessible software]( https://msdn.microsoft.com/windows/uwp/accessibility/designing-inclusive-software) diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 4965185168..11028a1ef0 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -2,10 +2,10 @@ title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 88baf2f9e0..fcf7dec824 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -2,10 +2,10 @@ title: Configure Windows Spotlight on the lock screen (Windows 10) description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 @@ -35,7 +35,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en - **Background image** - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. + The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. More images are downloaded on ongoing basis. ![lock screen image.](images/lockscreen.png) @@ -67,7 +67,7 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo | **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | | **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | | **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | -| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | +| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience that helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | **Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | @@ -80,11 +80,11 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo ![lockscreen policy details.](images/lockscreenpolicy.png) -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox isn't selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. ## Resolution for custom lock screen image -A concern with custom lock screen images is how they will appear on different screen sizes and resolutions. +A concern with custom lock screen images is how they'll appear on different screen sizes and resolutions. A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen diff --git a/windows/configure/images/apn-add-details.PNG b/windows/configure/images/apn-add-details.PNG deleted file mode 100644 index caee3d6429..0000000000 Binary files a/windows/configure/images/apn-add-details.PNG and /dev/null differ diff --git a/windows/configure/images/apn-add.PNG b/windows/configure/images/apn-add.PNG deleted file mode 100644 index 0e25e5c0e9..0000000000 Binary files a/windows/configure/images/apn-add.PNG and /dev/null differ diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index cbeb91ed35..902c4828e2 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -65,11 +65,11 @@ href: planning/features-lifecycle.md - name: Features we're no longer developing items: - - name: Windows 10 deprecated features + - name: Windows deprecated features href: planning/windows-10-deprecated-features.md - name: Features we removed items: - - name: Windows 10 features removed + - name: Windows features removed href: planning/windows-10-removed-features.md - name: Prepare @@ -185,8 +185,9 @@ - name: Monitor Windows client updates items: - name: Monitor with Update Compliance (preview version) - href: update/update-compliance-v2-overview.md items: + - name: Update Compliance overview + href: update/update-compliance-v2-overview.md - name: Enable Update Compliance (preview) items: - name: Update Compliance prerequisites @@ -200,11 +201,15 @@ - name: Configure clients with Microsoft Endpoint Manager href: update/update-compliance-v2-configuration-mem.md - name: Use Update Compliance (preview) - items: - - name: Use Update Compliance - href: update/update-compliance-v2-use.md + items: + - name: Update Compliance workbook + href: update/update-compliance-v2-workbook.md - name: Software updates in the Microsoft admin center (preview) - href: update/update-status-admin-center.md + href: update/update-status-admin-center.md + - name: Use Update Compliance data + href: update/update-compliance-v2-use.md + - name: Feedback, support, and troubleshooting + href: update/update-compliance-v2-help.md - name: Update Compliance schema reference (preview) items: - name: Update Compliance schema reference @@ -258,7 +263,7 @@ href: update/update-compliance-schema-waasupdatestatus.md - name: WaaSInsiderStatus href: update/update-compliance-schema-waasinsiderstatus.md - - name: WaaSDepoymentStatus + - name: WaaSDeploymentStatus href: update/update-compliance-schema-waasdeploymentstatus.md - name: WUDOStatus href: update/update-compliance-schema-wudostatus.md diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index 7fce81849b..1b7ef3ad3b 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -17,4 +17,4 @@ ms.topic: article Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. -By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors. +By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This consent includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you didn't suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you haven't validly acquired a license for the software from Microsoft or its licensed distributors. diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index a841cb6907..a4360e4aa4 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -34,7 +34,7 @@ All four of the roles specified above can be hosted on the same computer or each 2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. -3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. +3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory doesn't already exist, it will be created. ``` copype.cmd @@ -167,7 +167,7 @@ ramdisksdipath \Boot\boot.sdi ## PXE boot process summary -The following summarizes the PXE client boot process. +The following process summarizes the PXE client boot. >The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)). @@ -177,7 +177,7 @@ The following summarizes the PXE client boot process. 5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present. 6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image. 7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE. -8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. +8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. ## See Also diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index abb43c1a9e..0eb5352dfa 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -18,10 +18,10 @@ This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 > * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. > * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. > * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. -> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it does not work on per device based licensing. +> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it doesn't work on per device based licensing. > [!IMPORTANT] -> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device isn't able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. > >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". @@ -33,18 +33,18 @@ To determine if the computer has a firmware-embedded activation key, type the fo (Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey ``` -If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. +If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. ## Enabling Subscription Activation with an existing EA -If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: +If you're an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: 1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +2. After an order is placed, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. 3. The admin can now assign subscription licenses to users. Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: @@ -55,7 +55,7 @@ Use the following process if you need to update contact information and retrigge 4. Enter your agreement number, and then click **Search**. 5. Click the **Service Name**. 6. In the **Subscription Contact** section, click the name listed under **Last Name**. -7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. +7. Update the contact information, then click **Update Contact Details**. This action will trigger a new email. Also in this article: - [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. @@ -65,7 +65,7 @@ Also in this article: You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This synchronization means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -79,7 +79,7 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) > [!NOTE] -> If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +> If you're implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. ## Preparing for deployment: reviewing requirements @@ -164,7 +164,7 @@ Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation > [!IMPORTANT] -> If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +> If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. > If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
@@ -175,7 +175,7 @@ Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabl ### Step 3: Sign in using Azure AD account -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. +Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
Sign in, Windows 10 @@ -208,14 +208,14 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: -- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. +- The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later. - The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: - [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. -- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. +- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
Windows 10 not activated and subscription active @@ -227,7 +227,7 @@ Use the following figures to help you troubleshoot when users experience these c Windows 10 activated and subscription not active
Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. +- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
Windows 10 not activated and subscription not active @@ -252,5 +252,5 @@ If a device is running a version of Windows 10 Pro prior to version 1703 (for ex ### Delay in the activation of Enterprise License of Windows 10 -This is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device is not eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. +This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index c32aeb19ba..778cc5f140 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -20,7 +20,7 @@ ms.custom: seo-marvel-apr2020 This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. -[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview. +[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview. For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: @@ -35,7 +35,7 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor **If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. -In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles. +In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles. There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. **If you do not already have a Microsoft services subscription** @@ -45,11 +45,11 @@ You can check out the Microsoft 365 deployment advisor and other resources for f >[!NOTE] >If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. -1. [Explore Microsoft 365](https://www.microsoft.com/microsoft-365/business/). +1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365). 2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide). 3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). -That's all there is to it! +That's all there's to it! Examples of these two deployment advisors are shown below. @@ -62,9 +62,9 @@ Examples of these two deployment advisors are shown below. ## Windows Analytics deployment advisor example -## M365 Enterprise poster +## Microsoft 365 Enterprise poster -[![M365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter) +[![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter) ## Related Topics diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 6f43fb16f4..55f1a653a6 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -42,7 +42,7 @@ The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is a New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
VPN support is added to [Windows Autopilot](#windows-autopilot)
An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
-The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with additional content added and more content coming soon.
+The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.
## The Modern Desktop Deployment Center @@ -55,7 +55,7 @@ Microsoft 365 is a new offering from Microsoft that combines - Office 365 - Enterprise Mobility and Security (EMS). -See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). +See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster). ## Windows 10 servicing and support @@ -65,12 +65,12 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). - **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. -- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. -Additional improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include: +Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include: - Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. -- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon! +- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon! The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: @@ -85,17 +85,17 @@ The following Delivery Optimization policies are removed in the Windows 10, vers [Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include: - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. -- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. -- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and run normally. +- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again. - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. -- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. +- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. -Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. +Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the table below. ![Support lifecycle.](images/support-cycle.png) @@ -115,14 +115,14 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. -If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles. The following Windows Autopilot features are available in Windows 10, version 1903 and later: -- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. +- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users. - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. - [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. ### Microsoft Endpoint Configuration Manager @@ -137,11 +137,11 @@ With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to ### SetupDiag -[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. +[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In Windows 10, version 2004, SetupDiag is now automatically installed. -During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. ### Upgrade Readiness @@ -179,7 +179,7 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). ### Microsoft Deployment Toolkit (MDT) -MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There is currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation. +MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There's currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation. For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes). diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 1e4ef75b50..af75531621 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -21,8 +21,8 @@ Operating system images are typically the production image used for deployment t ## Infrastructure -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -46,7 +46,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is 5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**. 6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 4dad48dc9d..1d57288f6f 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -17,10 +17,10 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. +In this topic, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -29,9 +29,9 @@ For the purposes of this guide, we will use one server computer: CM01. This section will show you how to import some network and storage drivers for Windows PE. >[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -58,7 +58,7 @@ On **CM01**: This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement). -For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. +For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. ![Drivers in Windows.](../images/cm01-drivers-windows.png) @@ -81,9 +81,9 @@ On **CM01**: * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w >[!NOTE] - >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify. + >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and click **Next** twice. After the package has been created, click **Close**. >[!NOTE] >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index e925ac8f45..fb7aae6b8e 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -20,16 +20,16 @@ ms.custom: seo-marvel-apr2020 In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - The boot image that is created is based on the version of ADK that is installed. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add DaRT 10 files and prepare to brand the boot image -The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. +The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. -We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. On **CM01**: @@ -42,7 +42,7 @@ On **CM01**: ## Create a boot image for Configuration Manager using the MDT wizard -By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. +By using the MDT wizard to create the boot image in Configuration Manager, you gain more options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. On **CM01**: @@ -65,7 +65,7 @@ On **CM01**: 6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**. 7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. 8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 260b79eadd..f846694f35 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -16,10 +16,10 @@ ms.topic: article - Windows 10 -In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. +In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -93,9 +93,9 @@ On **CM01**: Add an application to the Configuration Manager task sequence >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings: +9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: * Request state storage location to: Restore state from another computer * If computer account fails to connect to state store, use the Network Access account: selected * Options: Continue on error @@ -103,7 +103,7 @@ On **CM01**: * Task Sequence Variable * USMTLOCAL not equals True -10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings: +10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: * Options: Continue on error * Options / Condition: * Task Sequence Variable @@ -113,14 +113,14 @@ On **CM01**: ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: 1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure. +2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. 3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. 4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index caae9de1b6..102b3ae2d6 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: dougeby ms.author: aaroncz @@ -19,8 +20,8 @@ ms.topic: article Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. >[!NOTE] >The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. @@ -29,9 +30,9 @@ For the purposes of this guide, we will use one server computer: CM01. On **CM01**: -1. Create the **D:\Setup** folder if it does not already exist. +1. Create the **D:\Setup** folder if it doesn't already exist. 1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example: +2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: ```powershell Set-Location C:\Users\administrator.CONTOSO\Downloads @@ -64,7 +65,7 @@ On **CM01**: Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties). +11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). 12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 55d9928a01..253e63190e 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +description: In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa manager: dougeby ms.author: aaroncz ms.prod: w10 @@ -16,9 +17,9 @@ ms.collection: highpri - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. -This topic assumes that you have completed the following prerequisite procedures: +This topic assumes that you've completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -27,10 +28,10 @@ This topic assumes that you have completed the following prerequisite procedures - [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) -For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). +For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. - - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. >[!NOTE] @@ -38,7 +39,7 @@ For the purposes of this guide, we will use a minimum of two server computers (D All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This connection isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!NOTE] >No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. @@ -50,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 5. The operating system deployment will take several minutes to complete. -6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following: +6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: * Install the Windows 10 operating system. * Install the Configuration Manager client and the client hotfix. @@ -64,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet. Monitoring the deployment with MDT. -7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. +7. When the deployment is finished you'll have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. Examples are provided below of various stages of deployment: diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 15ccee4085..3984e65a9b 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -19,8 +19,8 @@ ms.custom: seo-marvel-apr2020 This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -45,11 +45,11 @@ On **CM01**: ## Configure the Logs folder -The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. +The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we'll add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: ``` icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' @@ -82,17 +82,17 @@ On **CM01**: 3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box. >[!NOTE] - >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal -In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point. +In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that haven't yet been distributed to the CM01 distribution point. On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. 2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully. +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -100,7 +100,7 @@ On **CM01**: ## Create a deployment for the task sequence -This sections provides steps to help you create a deployment for the task sequence. +This section provides steps to help you create a deployment for the task sequence. On **CM01**: @@ -126,7 +126,7 @@ On **CM01**: ## Configure Configuration Manager to prompt for the computer name during deployment (optional) -You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). +You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more information on how to do this step, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names. diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 75efdc9ba8..02c1c8a43b 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -7,60 +7,63 @@ ms.author: aaroncz ms.prod: w10 ms.localizationpriority: medium author: aczechowski -ms.topic: article -ms.custom: seo-marvel-apr2020 +ms.topic: how-to --- # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager **Applies to** -- Windows 10 +- Windows 10 -This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). +This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Endpoint Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). ## Prerequisites -In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: +In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: - Configuration Manager current branch + all security and critical updates are installed. - - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](/configmgr/core/plan-design/configs/support-for-windows-10). -- The [Active Directory Schema has been extended](/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created. -- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/configmgr/core/servers/deploy/configure/configure-discovery-methods). -- IP range [boundaries and a boundary group](/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created. -- The Configuration Manager [reporting services](/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. + + > [!NOTE] + > Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10). +- The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created. +- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods). +- IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created. +- The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). - The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. - The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. - - Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool. -For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01. + > [!NOTE] + > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. + +For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. -- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer does not need to be a domain member. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. +- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ### Domain credentials The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. -**Active Directory domain name**: contoso.com
-**Domain administrator username**: administrator
-**Domain administrator password**: pass@word1 +- **Active Directory domain name**: `contoso.com` +- **Domain administrator username**: `administrator` +-**Domain administrator password**: `pass@word1` ## Create the OU structure >[!NOTE] ->If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +>If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell. -To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension. +To use Windows PowerShell, copy the following commands into a text file and save it as `C:\Setup\Scripts\ou.ps1` Ensure that you're viewing file extensions and that you save the file with the `.ps1` extension. ```powershell $oulist = Import-csv -Path c:\oulist.txt @@ -106,10 +109,10 @@ On **DC01**: 2. Select the Service Accounts OU and create the CM\_JD account using the following settings: * Name: CM\_JD - * User logon name: CM\_JD - * Password: pass@word1 + * User sign-in name: CM\_JD + * Password: `pass@word1` * User must change password at next logon: Clear - * User cannot change password: Selected + * User can't change password: Selected * Password never expires: Selected 3. Repeat the step, but for the CM\_NAA account. @@ -120,19 +123,19 @@ On **DC01**: ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. On **DC01**: -1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt: +1. Sign in as contoso\administrator and enter the following commands at an elevated Windows PowerShell prompt: - ``` + ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force Set-Location C:\Setup\Scripts .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted: +2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: * Scope: This object and all descendant objects * Create Computer objects @@ -171,7 +174,7 @@ To support the packages you create in this article, the following folder structu You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We will also create the D:\Logs folder here which will be used later to support server-side logging. +>We'll also create the D:\Logs folder here which will be used later to support server-side logging. ```powershell New-Item -ItemType Directory -Path "D:\Sources" @@ -193,13 +196,13 @@ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE ## Integrate Configuration Manager with MDT -To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. +To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you've already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. On **CM01**: 1. Sign in as contoso\administrator. 2. Ensure the Configuration Manager Console is closed before continuing. -5. Click Start, type **Configure ConfigManager Integration**, and run the application the following settings: +5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings: * Site Server Name: CM01.contoso.com * Site code: PS1 @@ -214,9 +217,9 @@ Most organizations want to display their name during deployment. In this section On **CM01**: -1. Open the Configuration Manager Console, select the Administration workspace, then click **Client Settings**. -2. In the right pane, right-click **Default Client Settings** and then click **Properties**. -3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**. +1. Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**. +2. In the right pane, right-click **Default Client Settings** and then select **Properties**. +3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**. ![figure 9.](../images/mdt-06-fig10.png) @@ -261,7 +264,7 @@ On **CM01**: Configure the CM01 distribution point for PXE. >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). 4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. @@ -269,35 +272,35 @@ On **CM01**: The distmgr.log displays a successful configuration of PXE on the distribution point. -5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. ![figure 14.](../images/mdt-06-fig15.png) The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE. - **Note**: These files are used by WDS. They are not used by the ConfigMgr PXE Responder. This article does not use the ConfigMgr PXE Responder. + **Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md). ## Components of Configuration Manager operating system deployment -Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. +Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. - **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. - **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. - **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. - **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. - **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. - **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). - **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager. - - **Note**  The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. + > [!NOTE] + > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. ## Why integrate MDT with Configuration Manager -As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. +As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. >[!NOTE] >MDT installation requires the following: @@ -307,10 +310,10 @@ As noted above, MDT adds many enhancements to Configuration Manager. While these ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: -- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence. +- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. ``` syntax [Settings] @@ -342,7 +345,7 @@ The Gather action in the task sequence is reading the rules. ### MDT adds an operating system deployment simulation environment -When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). +When testing a deployment, it's important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). ![figure 3.](../images/mdt-06-fig03.png) @@ -350,7 +353,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script ### MDT adds real-time monitoring -With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. +With MDT integration, you can follow your deployments in real time, and if you've access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. ![figure 4.](../images/mdt-06-fig04.png) @@ -362,26 +365,27 @@ For some deployment scenarios, you may need to prompt the user for information d ![figure 5.](../images/mdt-06-fig05.png) -The optional UDI wizard open in the UDI Wizard Designer. +The optional UDI wizard opens in the UDI Wizard Designer. MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager. ### Why use MDT Lite Touch to create reference images You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: + - You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. -- The Configuration Manager task sequence does not suppress user interface interaction. -- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured. -- MDT Lite Touch does not require any infrastructure and is easy to delegate. +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. +- The Configuration Manager task sequence doesn't suppress user interface interaction. +- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. +- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. -## Related topics +## Related articles -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)\ +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)\ +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)\ +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)\ +[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)\ +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)\ +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)\ [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 117dedd018..41822baf59 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). +This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: @@ -31,8 +31,8 @@ A computer refresh with Configuration Manager works the same as it does with MDT An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. >[!NOTE] @@ -40,7 +40,7 @@ For the purposes of this article, we will use one server computer (CM01) and one All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -76,7 +76,7 @@ On **CM01**: Use the default settings to complete the remaining wizard pages and click **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. >[!NOTE] >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. @@ -94,7 +94,7 @@ Using the Configuration Manager console, in the Software Library workspace, expa - Make available to the following: Configuration Manager clients, media and PXE >[!NOTE] - >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - <default> diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 242bcd70ee..4d0bcca63b 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +description: In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -17,16 +18,16 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10. +In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10. -In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). +In this topic, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). ## Infrastructure An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. @@ -36,7 +37,7 @@ For the purposes of this article, we will use one server computer (CM01) and two All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -70,15 +71,15 @@ The backup-only task sequence (named Replace Task Sequence). ## Associate the new device with the old computer -This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. +This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. +2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. 3. On the **Select Source** page, select **Import single computer** and click **Next**. 4. On the **Single Computer** page, use the following settings and then click **Next**: @@ -95,14 +96,14 @@ On **CM01**: 7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**. 8. On the **Summary** page, click **Next**, and then click **Close**. 9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not. -11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. +11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: * General * Name: USMT Backup (Replace) @@ -117,7 +118,7 @@ On **CM01**: Use default settings for the remaining wizard pages, then click **Close**. -2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment @@ -145,7 +146,7 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears. >[!NOTE] @@ -161,8 +162,8 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location. +6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. +7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. >[!NOTE] >It may take a few minutes for the user state store location to be populated. @@ -176,7 +177,7 @@ On **PC0006**: * Password: pass@word1 * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following: +2. The setup now starts and does the following steps: * Installs the Windows 10 operating system * Installs the Configuration Manager client @@ -184,7 +185,7 @@ On **PC0006**: * Installs the applications * Restores the PC0004 backup -When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: +When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: ![User data and setting restored example 1.](../images/pc0006a.png)
![User data and setting restored example 2.](../images/pc0006b.png)
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index dd7097e837..5d6a936a26 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -27,28 +27,28 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ## Add an OS upgrade package -Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). +Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it doesn't use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. -3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**. +2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**. 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. 6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence @@ -77,7 +77,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -89,7 +89,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 3300697ddc..ccf4df0e57 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,6 +1,7 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) -description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. +description: In this topic, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. +ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c ms.reviewer: manager: dougeby ms.author: aaroncz @@ -17,9 +18,9 @@ ms.topic: article Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. -Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. +Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. -For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![figure 1.](../images/mdt-10-fig01.png) @@ -29,7 +30,7 @@ Computers used in this topic. ## Replicate deployment shares -Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. +Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. > [!NOTE] > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. @@ -40,7 +41,7 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes ### Why DFS-R is a better option -DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. +DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. ## Set up Distributed File System Replication (DFS-R) for replication @@ -113,7 +114,7 @@ When you have multiple deployment servers sharing the same content, you need to On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. ```ini [Settings] @@ -152,7 +153,7 @@ On **MDT01**: ## Replicate the content - Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. + Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. ### Create the replication group @@ -247,7 +248,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image 2. Computer Name: PC0006 3. Applications: Select the Install - Adobe Reader -4. Setup will now start and perform the following: +4. Setup will now start and perform the following steps: 1. Install the Windows 10 Enterprise operating system. 2. Install applications. 3. Update the operating system using your local Windows Server Update Services (WSUS) server. diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 078bb06ca8..fe96dcd42b 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -12,7 +12,7 @@ ms.topic: article # Configure MDT deployment share rules -In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. +In this topic, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. ## Assign settings @@ -29,7 +29,7 @@ Before adding the more advanced components like scripts, databases, and web serv ### Set computer name by MAC Address -If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. +If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. ``` [Settings] @@ -90,7 +90,7 @@ In the preceding sample, you still configure the rules to set the computer name ### Add laptops to a different organizational unit (OU) in Active Directory -In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read. +In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. ``` [Settings] diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index c4bbe93743..8c0ba8179d 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,6 +1,7 @@ --- title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -12,8 +13,8 @@ ms.topic: article # Configure MDT settings -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). ![figure 1.](../images/mdt-09-fig01.png) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e9d1c48603..1f482f177d 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -15,12 +15,12 @@ ms.topic: article **Applies to** - Windows 10 -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. +Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you 'll have a Windows 10 reference image that can be used in your deployment solution. >[!NOTE] ->See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. +>For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. +For the purposes of this topic, we'll use three computers: DC01, MDT01, and HV01. - DC01 is a domain controller for the contoso.com domain. - MDT01 is a contoso.com domain member server. - HV01 is a Hyper-V server that will be used to build the reference image. @@ -31,22 +31,22 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV ## The reference image -The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following: +The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: - To reduce development time and can use snapshots to test different configurations quickly. -- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related. -- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. +- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. +- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. - The image is easy to move between lab, test, and production. ## Set up the MDT build lab deployment share -With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share On **MDT01**: - Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). -- Start the MDT deployment workbench, and pin this to the taskbar for easy access. +- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: - Deployment share path: **D:\\MDTBuildLab** @@ -70,7 +70,7 @@ In order to read files in the deployment share and write the reference image bac On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -84,7 +84,7 @@ This section will show you how to populate the MDT deployment share with the Win ### Add the Windows 10 installation files -MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. >[!NOTE] >Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. @@ -129,9 +129,9 @@ The steps in this section use a strict naming standard for your MDT applications Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. -By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. +By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. -In example sections, you will add the following applications: +In example sections, you 'll add the following applications: - Install - Microsoft Office 365 Pro Plus - x64 - Install - Microsoft Visual C++ Redistributable 2019 - x86 @@ -146,7 +146,7 @@ Download links: Download all three items in this list to the D:\\Downloads folder on MDT01. -**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). +**Note**: For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). >[!NOTE] >All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. @@ -157,7 +157,9 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. + > [!NOTE] + > 64-bit is now the default and recommended edition. - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages. @@ -173,27 +175,27 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ``` - By using these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. + When you use these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. >[!TIP] >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - Also see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information. + For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: ![folder.](../images/office-folder.png) - Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet. + Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. >[!IMPORTANT] - >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. + >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information -- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. +- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. +- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -201,7 +203,7 @@ If you need to add many applications, you can take advantage of the PowerShell s On **MDT01**: -1. Ensure you are signed in as **contoso\\Administrator**. +1. Ensure you're signed in as **contoso\\Administrator**. 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -213,11 +215,11 @@ On **MDT01**: ### Create the install: Microsoft Office 365 Pro Plus - x64 -In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. +In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -227,7 +229,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -246,11 +248,11 @@ On **MDT01**: >[!NOTE] >We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -260,7 +262,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -275,11 +277,11 @@ On **MDT01**: ### Create the install: Microsoft Visual C++ Redistributable 2019 - x64 -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -291,8 +293,8 @@ On **MDT01**: ## Create the reference image task sequence -In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. -After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. +In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. +After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying. ### Drivers and the reference image @@ -304,18 +306,18 @@ To create a Windows 10 reference image task sequence, the process is as follows On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: 1. Task sequence ID: REFW10X64-001 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image 3. Task sequence comments: Reference Build 4. Template: Standard Client Task Sequence 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Do not specify a product key at this time + 6. Specify Product Key: Don't specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time + 10. Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -338,7 +340,7 @@ On **MDT01**: 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] - >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. ![task sequence.](../images/fig8-cust-tasks.png) @@ -355,7 +357,7 @@ On **MDT01**: ### Optional configuration: Add a suspend action -The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. +The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. ![figure 8.](../images/fig8-suspend.png) @@ -367,20 +369,20 @@ The goal when creating a reference image is of course to automate everything. Bu ### Edit the Unattend.xml file for Windows 10 Enterprise -When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK). +When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). >[!WARNING] ->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. +>Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. >[!NOTE] ->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. -2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. +2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. > [!IMPORTANT] > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: @@ -393,7 +395,8 @@ On **MDT01**: 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - DisableDevTools: true 5. Save the Unattend.xml file, and close Windows SIM. - - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. + > [!NOTE] + > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. ![figure 10.](../images/fig10-unattend.png) @@ -413,7 +416,7 @@ To configure the rules for the MDT Build Lab deployment share: On **MDT01**: 1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: ``` [Settings] @@ -469,7 +472,7 @@ On **MDT01**: ``` >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -486,7 +489,7 @@ On **MDT01**: ### Update the deployment share -After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created. +After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. 1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. @@ -496,9 +499,9 @@ After the deployment share has been configured, it needs to be updated. This is ### The rules explained -Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. +Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. -The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide just enough information for MDT to find the CustomSettings.ini. +The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini. The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). @@ -521,14 +524,14 @@ SkipBDDWelcome=YES ``` So, what are these settings? -- **Priority.** This determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. -- **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. -- **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you. +- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. +- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. +- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. >[!WARNING] >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. -- **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. +- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. >[!NOTE] >All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. @@ -569,20 +572,20 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. +- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. - **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image. +- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image. - **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed. +- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. - **AdminPassword.** Sets the local Administrator account password. - **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. +- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. +- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. - **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. - **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. - **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). @@ -602,9 +605,9 @@ SkipFinalSummary=YES ## Build the Windows 10 reference image -As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. +As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). -Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. +Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. @@ -628,7 +631,7 @@ On **HV01**: 4. Start the REFW10X64-001 virtual machine and connect to it. - **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + **Note**: Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image @@ -640,7 +643,7 @@ On **HV01**: The Windows Deployment Wizard for the Windows 10 reference image. -5. The setup now starts and does the following: +5. The setup now starts and does the following steps: 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added applications, roles, and features. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. @@ -649,7 +652,7 @@ On **HV01**: 6. Captures the installation to a Windows Imaging (WIM) file. 7. Turns off the virtual machine. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ![image.](../images/image-captured.png) @@ -662,9 +665,9 @@ If you [enabled monitoring](#enable-monitoring), you can check the progress of t ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 0d89ad7be7..90deeb5238 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -15,16 +15,16 @@ ms.topic: article **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. +We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this topic, we'll use four computers: DC01, MDT01, HV01 and PC0005. - DC01 is a domain controller - MDT01 is a domain member server - HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 10 +- PC0005 is a blank device to which we'll deploy Windows 10 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. @@ -35,7 +35,7 @@ MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contos ## Step 1: Configure Active Directory permissions -These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. +These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. On **DC01**: @@ -55,7 +55,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` - The following is a list of the permissions being granted: + The following list is of the permissions being granted: - Scope: This object and all descendant objects - Create Computer objects @@ -72,7 +72,7 @@ On **DC01**: ## Step 2: Set up the MDT production deployment share -Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. +Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. ### Create the MDT production deployment share @@ -80,7 +80,7 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: -1. Ensure you are signed on as: contoso\administrator. +1. Ensure you're signed on as: contoso\administrator. 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. @@ -97,7 +97,7 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -107,11 +107,11 @@ On **MDT01**: ## Step 3: Add a custom image -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. +The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components. ### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. +In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. 1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. @@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. @@ -175,12 +175,12 @@ For boot images, you need to have storage and network drivers; for the operating ### Create the driver source structure in the file system -The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. +The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. On **MDT01**: > [!IMPORTANT] -> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. +> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. 1. Using File Explorer, create the **D:\\drivers** folder. 2. In the **D:\\drivers** folder, create the following folder structure: @@ -198,11 +198,11 @@ On **MDT01**: - Surface Laptop > [!NOTE] -> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. +> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. ### Create the logical driver structure in MDT -When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. +When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. 1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 @@ -260,7 +260,7 @@ On **MDT01**: ### Extract and import drivers for the x64 boot image -Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. +Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: @@ -282,7 +282,7 @@ For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retrieve To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). -In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. +In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. On **MDT01**: @@ -292,13 +292,13 @@ On **MDT01**: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** - The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. + The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers. ### For the Latitude E7450 For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). -In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. +In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. On **MDT01**: @@ -312,7 +312,7 @@ On **MDT01**: For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. +In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. On **MDT01**: @@ -324,7 +324,7 @@ On **MDT01**: ### For the Microsoft Surface Laptop -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. On **MDT01**: @@ -336,7 +336,7 @@ On **MDT01**: ## Step 6: Create the deployment task sequence -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. +This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. ### Create a task sequence for Windows 10 Enterprise @@ -350,11 +350,11 @@ On **MDT01**: - Task sequence comments: Production Image - Template: Standard Client Task Sequence - Select OS: Windows 10 Enterprise x64 RTM Custom Image - - Specify Product Key: Do not specify a product key at this time + - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - Internet Explorer home page: `https://www.contoso.com` - - Admin Password: Do not specify an Administrator Password at this time + - Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -372,7 +372,7 @@ On **MDT01**: - Install all drivers from the selection profile > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. @@ -386,7 +386,7 @@ On **MDT01**: ## Step 7: Configure the MDT production deployment share -In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work. +In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work. ### Configure the rules @@ -460,7 +460,7 @@ On **MDT01**: > [!NOTE] > - > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. @@ -488,13 +488,13 @@ On **MDT01**: ### The rules explained -The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. +The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. ### The Bootstrap.ini file -This is the MDT Production Bootstrap.ini: +This file is the MDT Production Bootstrap.ini: ``` [Settings] @@ -510,7 +510,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file -This is the CustomSettings.ini file with the new join domain information: +This file is the CustomSettings.ini file with the new join domain information: ``` [Settings] @@ -557,16 +557,22 @@ Some properties to use in the MDT Production rules file are as follows: - **DomainAdminPassword.** The password for the join domain account. - **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. - **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore). +- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). - **EventService.** Activates logging information to the MDT monitoring web service. +> [!NOTE] +> For more information about localization support, see the following articles: +> +> - [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario) +> - [LCID (Locale ID) codes](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) + ### Optional deployment share configuration -If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself. +If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself. ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: +If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: > [!NOTE] @@ -602,7 +608,7 @@ On **MDT01**: ### Update the deployment share -Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. +Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -633,7 +639,7 @@ On **MDT01**: ### Deploy the Windows 10 client -At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: +At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: On **HV01**: @@ -659,7 +665,7 @@ On **HV01**: - Computer Name: **PC0005** - Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following: +4. Setup now begins and does the following steps: - Installs the Windows 10 Enterprise operating system. - Installs the added application. @@ -675,7 +681,7 @@ Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed auto ### Use the MDT monitoring feature -Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. +Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. On **MDT01**: @@ -699,12 +705,11 @@ The Event Viewer showing a successful deployment of PC0005. ## Multicast deployments -Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast. +Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast. ### Requirements -Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that -Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. +Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. ### Set up MDT for multicast @@ -723,9 +728,9 @@ On **MDT01**: ## Use offline media to deploy Windows 10 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. -Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. +Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. ### Create the offline media selection profile @@ -756,7 +761,7 @@ In these steps, you generate offline media from the MDT Production deployment sh 1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. >[!NOTE] - >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. + >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. @@ -792,7 +797,7 @@ On **MDT01**: ### Generate the offline media -You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. +You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. On **MDT01**: @@ -802,7 +807,7 @@ On **MDT01**: ### Create a bootable USB stick -The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) +The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] >In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. @@ -815,7 +820,7 @@ Follow these steps to create a bootable USB stick from the offline media content 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. +4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). @@ -823,7 +828,7 @@ Follow these steps to create a bootable USB stick from the offline media content ## Unified Extensible Firmware Interface (UEFI)-based deployments -As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. +As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you've an UEFI-based machine and creates the partitions UEFI requires. You don't need to update or change your task sequences in any way to accommodate UEFI. ![figure 14.](../images/mdt-07-fig16.png) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index d5a9a7653a..9667f4a047 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -21,23 +21,23 @@ This article provides an overview of the features, components, and capabilities MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. -In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. +In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). +MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). > [!IMPORTANT] > For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-). ## Key features in MDT -MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. +MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: - **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. - **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. -- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. +- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. - **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI. +- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. - **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. ![figure 2.](../images/mdt-05-fig02.png) @@ -48,7 +48,7 @@ MDT has many useful features, such as: - **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). - **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. - **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. - **Monitoring.** Allows you to see the status of currently running deployments. - **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). - **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. @@ -65,21 +65,21 @@ MDT has many useful features, such as: - **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. - **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components -Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. +When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click **View Script**. You're provided the PowerShell command. ![figure 4.](../images/mdt-05-fig04.png) -If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. +If you click **View Script** on the right side, you'll get the PowerShell code that was used to perform the task. ## Deployment shares -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get more settings for the deployment. For Lite Touch deployments, it's common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it's common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. ## Rules @@ -92,7 +92,7 @@ You can manage hundreds of settings in the rules. For more information, see the ![figure 5.](../images/mdt-05-fig05.png) -Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number +Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number ## Boot images @@ -101,7 +101,7 @@ share on the server and start the deployment. ## Operating systems -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. ## Applications @@ -113,7 +113,7 @@ You also use the Deployment Workbench to import the drivers your hardware needs ## Packages -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those packages. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that aren't available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. ## Task sequences @@ -128,17 +128,18 @@ You can think of a task sequence as a list of actions that need to be executed i ## Task sequence templates -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. - **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. + > [!NOTE] + > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. - **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. - **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. - **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. - **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. - **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. - **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. @@ -161,7 +162,7 @@ The easiest way to view log files is to use Configuration Manager Trace (CMTrace ## Monitoring -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. +On the deployment share, you also can enable monitoring. After you enable monitoring, you'll see all running deployments in the Monitor node in the Deployment Workbench. ## See next diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ba824d08fb..72ef0f8a71 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -7,7 +7,9 @@ href: waas-delivery-optimization.md - name: What's new href: whats-new-do.md - + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization @@ -16,6 +18,8 @@ items: - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings + - name: Windows Delivery Optimization Frequently Asked Questions + href: ../do/waas-delivery-optimization-faq.yml - name: Configure Microsoft Endpoint Manager items: - name: Delivery Optimization settings in Microsoft Intune @@ -40,3 +44,6 @@ href: delivery-optimization-workflow.md - name: Using a proxy with Delivery Optimization href: delivery-optimization-proxy.md + - name: Content endpoints for Delivery Optimization and Microsoft Connected Cache + href: delivery-optimization-endpoints.md + diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md new file mode 100644 index 0000000000..984e7fd026 --- /dev/null +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -0,0 +1,37 @@ +--- +title: Delivery Optimization and Microsoft Connected Cache content endpoints +description: List of fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache. +ms.date: 07/26/2022 +ms.prod: w10 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: cmknox +ms.author: carmenf +ms.reviewer: mstewart +manager: naengler +--- + +# Delivery Optimization and Microsoft Connected Cache content type endpoints + +_Applies to:_ + +- Windows 11 +- Windows 10 + +> [!NOTE] +> All ports are outbound. + +This article lists the endpoints that need to be allowed through the firewall to ensure that content from Delivery Optimization and Microsoft Connected cache is properly delivered. Use the table below to reference any particular content types supported by Delivery Optimization and Microsoft Connected Cache: + +|Domain Name |Protocol/Port(s) | Content Type | Additional Information | Version | +|---------|---------|---------------|-------------------|-----------------| +| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update
Windows Defender
Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.delivery.mp.microsoft.com | HTTP / 80 | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80
HTTPs / 443 | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.statics.teams.cdn.office.net | HTTP / 80
HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point | +| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point | +| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | +| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
MQTT / 8883
HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index 5afb66f3f6..15bd6957d3 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -12,27 +12,27 @@ ms.topic: article # Using a proxy with Delivery Optimization -**Applies to** +**Applies to:** -- Windows 10 - Windows 11 +- Windows 10 -When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. +When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows. For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings. -Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required. +Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required. > [!NOTE] > We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used). If a user is signed in, the system uses the Internet Explorer proxy. -If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors. +If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors. -You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply. +You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply. ### Summary of settings behavior @@ -43,7 +43,7 @@ With an interactive user signed in: |Named proxy set by using: |Delivery Optimization successfully uses proxy | |---------|---------| |Internet Explorer proxy, current user | Yes | -|Internet Explorer proxy, device-wide | Yes | +|Internet Explorer proxy, device-wide | Yes | |netsh proxy | No | |Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, Internet Explorer proxy is used | |Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, Internet Explorer proxy is used | @@ -53,7 +53,7 @@ With NetworkService (if unable to obtain a user token from a signed-in user): |Named proxy set by using: |Delivery Optimization successfully uses proxy | |---------|---------| |Internet Explorer proxy, current user | No | -|Internet Explorer proxy, device-wide | Yes | +|Internet Explorer proxy, device-wide | Yes | |netsh proxy | Yes | |Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used | |Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used | @@ -70,10 +70,10 @@ This policy is meant to ensure that proxy settings apply uniformly to the same c Starting with Windows 10, version 2004, you can use Connected Cache behind a proxy. In older versions, when you set Delivery Optimization to download from Connected Cache, it will bypass the proxy and try to connect directly to the Connected Cache server. This can cause failure to download. -However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations). +However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations). - ## Related articles +## Related articles -- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp) -- [How to use GPP Registry to uncheck automatically detect settings? ](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings) -- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry) \ No newline at end of file +- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp) +- [How to use GPP Registry to uncheck automatically detect settings?](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings) +- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry) diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index c1f2b5eb4a..85d6ee2703 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -1,6 +1,6 @@ ### YamlMime:Landing -title: Delivery Optimization for Windows client # < 60 chars +title: Delivery Optimization # < 60 chars summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars metadata: @@ -49,9 +49,9 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: ../update/waas-delivery-optimization-faq.md + url: ../do/waas-delivery-optimization-faq.yml - text: Submit feedback - url: https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app + url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332 # Card (optional) - title: Configure Delivery Optimization on Microsoft Endpoint Manager @@ -97,4 +97,6 @@ landingContent: url: delivery-optimization-workflow.md - text: Using a proxy with Delivery Optimization url: delivery-optimization-proxy.md + - text: Content endpoints for Delivery Optimization and Microsoft Connected Cache + url: delivery-optimization-endpoints.md diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index c64c10c317..6b83267846 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -24,7 +24,7 @@ ms.topic: article Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/). -MCC is a hybrid (a mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. +MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: @@ -111,7 +111,7 @@ For questions regarding these instructions contact [msconnectedcache@microsoft.c As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] -> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allow list for this preview. You will not be able to proceed if you skip this step. +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). @@ -119,9 +119,9 @@ For information about creating or locating your subscription ID, see [Steps to o The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. -Once you take the survey above and the MCC team adds your subscription id to the allow list, you will be given a link to the Azure portal where you can create the resource described below. +Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. -1. On the Azure Portal home page, choose **Create a resource**: +1. On the Azure portal home page, choose **Create a resource**: ![eMCC img02](images/emcc02.png) 2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. @@ -164,7 +164,7 @@ Once you take the survey above and the MCC team adds your subscription id to the ### Create an MCC node in Azure -Creating a MCC node is a multi-step process and the first step is to access the MCC private preview management portal. +Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal. 1. After the successful resource creation click on the **Go to resource**. 2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. @@ -291,7 +291,7 @@ Files contained in the mccinstaller.zip file: 6. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and cores you would like to allocate for the VM. In this example, we chose the default values for all prompts. -7. Follow the Azure Device Login link and sign into the Azure Portal. +7. Follow the Azure Device Login link and sign into the Azure portal. ![eMCC img17](images/emcc17.png) @@ -329,10 +329,10 @@ You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edge #### Verify server side -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace \ with the IP address of the cache server. +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. ```powershell -wget [http://\/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]() +wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] ``` A successful test result will look like this: @@ -351,7 +351,7 @@ If the test fails, see the common issues section for more information. ### Intune (or other management software) configuration for MCC -Example of setting the cache host policy to the MCC’s IP address / FQDN: +For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN: ![eMCC img23](images/emcc23.png) @@ -382,7 +382,7 @@ sudo iotedge list​ ![eMCC img24](images/emcc24.png) -If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoTEdge security manager using the command: +If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoT Edge security manager using the command: ```bash sudo journalctl -u iotedge -f @@ -503,13 +503,13 @@ There are multiple methods that can be used to apply a policy to PCs that should You can either set your MCC IP address or FQDN using: 1. Registry Key in 1709 and higher - - [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization]
+ [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
"DOCacheHost"=" " From an elevated command prompt: ``` - reg add "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f ``` 2. MDM Path in 1809 or higher: @@ -541,4 +541,4 @@ To verify that the Delivery Optimization client can download content using MCC, ## Also see [Microsoft Connected Cache for ISPs](mcc-isp.md)
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) \ No newline at end of file +[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml new file mode 100644 index 0000000000..0fe613a87a --- /dev/null +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -0,0 +1,108 @@ +### YamlMime:FAQ +metadata: + title: Delivery Optimization Frequently Asked Questions + description: The following is a list of frequently asked questions for Delivery Optimization. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: aaroncz + ms.prod: m365-security + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: carmenf + ms.author: carmenf + manager: dougeby + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 08/04/2022 + ms.custom: seo-marvel-apr2020 +title: Delivery Optimization Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + + +sections: + - name: Ignored + questions: + - question: Does Delivery Optimization work with WSUS? + answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + + - question: Which ports does Delivery Optimization use? + answer: | + Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + + - question: What are the requirements if I use a proxy? + answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + + - question: What hostnames should I allow through my firewall to support Delivery Optimization? + answer: | + **For communication between clients and the Delivery Optimization cloud service**: + + - `*.do.dsp.mp.microsoft.com` + + **For Delivery Optimization metadata**: + + - `*.dl.delivery.mp.microsoft.com` + - `*.emdl.ws.microsoft.com` + + **For the payloads (optional)**: + + - `*.download.windowsupdate.com` + - `*.windowsupdate.com` + + **For group peers across multiple NATs (Teredo)**: + + - `win1910.ipv6.microsoft.com` + + For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + + - question: Does Delivery Optimization use multicast? + answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + + - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + + - question: How does Delivery Optimization handle VPNs? + answer: | + Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + + If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + + With split tunneling, make sure to allow direct access to these endpoints: + + Delivery Optimization service endpoint: + + - `https://*.prod.do.dsp.mp.microsoft.com` + + Delivery Optimization metadata: + + - `http://emdl.ws.microsoft.com` + - `http://*.dl.delivery.mp.microsoft.com` + + Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + + - `http://*.windowsupdate.com` + - `https://*.delivery.mp.microsoft.com` + - `https://*.update.microsoft.com` + - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + + For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + + - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + answer: | + Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + + > [!NOTE] + > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index fd6f82f98c..928132b662 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -27,10 +27,15 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. -Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows)) +Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows). **Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. +## Allow content endpoints + +When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). + + ## Recommended Delivery Optimization settings Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 2af5bf6390..6e2cfcba95 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -42,7 +42,7 @@ "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-development", diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 051bc90e0d..76c4a0c066 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -1,6 +1,7 @@ --- -title: Windows 10 features we're no longer developing -description: Review the list of features that are no longer being developed in Windows 10. +title: Deprecated features in Windows client +description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11. +ms.date: 07/21/2022 ms.prod: w10 ms.technology: windows ms.localizationpriority: medium @@ -12,27 +13,30 @@ ms.topic: article ms.collection: highpri --- -# Windows 10 features we're no longer developing +# Deprecated features for Windows client _Applies to:_ - Windows 10 +- Windows 11 -Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md). +Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](windows-10-removed-features.md). -For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). +For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). -The features described below are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources. +To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md). + +The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources. **The following list is subject to change and might not include every affected feature or functionality.** > [!NOTE] -> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). +> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332). -|Feature | Details and mitigation | Announced in version | +|Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | -| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | -| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 | +| Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | +| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 | | Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself isn't affected. | 21H1 | | Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you can't upload new activity in Timeline. For more information, see [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 | diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 32c08d1d10..4a695dc7b7 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -39,12 +39,8 @@ sections: - question: | Can I evaluate Windows 10 Enterprise? answer: | - Yes, a 90-day evaluation of Windows 10 Enterprise is available. The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. - > [!NOTE] - > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). - - - name: Drivers and compatibility questions: - question: | @@ -54,10 +50,10 @@ sections: - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) - - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) + - [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984) + - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - question: | Where can I find out if an application or device is compatible with Windows 10? @@ -74,12 +70,9 @@ sections: - question: | Which deployment tools support Windows 10? answer: | - Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. + Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10. - - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using Configuration Manager, download a free 180-day trial. - - > [!NOTE] - > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). + - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager). - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment. @@ -132,7 +125,7 @@ sections: answer: | For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). @@ -159,4 +152,3 @@ sections: - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). - - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home). diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index baa2e8882e..4510e72618 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -1,6 +1,6 @@ --- -title: Windows 10 - Features that have been removed -description: In this article, learn about the features and functionality that has been removed or replaced in Windows 10. +title: Features and functionality removed in Windows client +description: In this article, learn about the features and functionality that have been removed or replaced in Windows client. ms.prod: w10 ms.localizationpriority: medium author: aczechowski @@ -11,36 +11,44 @@ ms.custom: seo-marvel-apr2020 ms.collection: highpri --- -# Features and functionality removed in Windows 10 +# Features and functionality removed in Windows client -> Applies to: Windows 10 +_Applies to:_ -Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.** +- Windows 10 +- Windows 11 -For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md). +Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client. + +For more information about features that might be removed in a future release, see [Deprecated features for Windows client](windows-10-deprecated-features.md). > [!NOTE] -> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. +> To get early access to new Windows builds and test these changes yourself, join the [Windows Insider program](https://insider.windows.com). -For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). +For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). -The following features and functionalities have been removed from the installed product image for Windows 10. Applications or code that depend on these features won't function in the release when it was removed, or in later releases. +To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md). -|Feature | Details and mitigation | Removed in version | +The following features and functionalities have been removed from the installed product image for Windows client. Applications or code that depend on these features won't function in the release when it was removed, or in later releases. + +**The following list is subject to change and might not include every affected feature or functionality.** + +|Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | +| Internet Explorer 11 | The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10. You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). | June 15, 2022 | | XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 | |Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 | |MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 | -| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 | +| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, select **Settings** > **Apps** > **Optional features** > **Add a feature**, and then install the **Wireless Display** app. | 2004 | | Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 | | Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | | Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | | Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | -| PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 | +| PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We're planning to complete the removal process by removing the corresponding APIs. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | -| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 | +| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you'll only be able to access messages from the device that received the message. | 1903 | |Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 | -|[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| 1809 | +|[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting lets you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it will be ignored.| 1809 | |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or HoloLens with the Mixed Reality Viewer.| 1809 | |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 | |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 | @@ -48,7 +56,7 @@ The following features and functionalities have been removed from the installed |Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 | |Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 | -|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | +|HomeGroup|We're removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 | |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 | |3D Builder app | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.| 1709 | @@ -62,9 +70,9 @@ The following features and functionalities have been removed from the installed |TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 | |Tile Data Layer |To be replaced by the Tile Store.| 1709 | |Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 | -|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 | +|By default, Flash autorun in Microsoft Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 | |Interactive Service Detection Service| See [Interactive Services](/windows/win32/services/interactive-services) for guidance on how to keep software up to date. | 1703 | -|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 | +|Microsoft Paint | This application won't be available for languages that aren't on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 | |NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 | |Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 | |WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | diff --git a/windows/deployment/update/includes/update-compliance-admin-center-permissions.md b/windows/deployment/update/includes/update-compliance-admin-center-permissions.md new file mode 100644 index 0000000000..01f67b2713 --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-admin-center-permissions.md @@ -0,0 +1,22 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/18/2022 +ms.localizationpriority: medium +--- + +[Enabling Update Compliance](../update-compliance-v2-enable.md) requires access to the [Microsoft admin center software updates (preview) page](../update-status-admin-center.md) as does displaying Update Compliance data in the admin center. The following permissions are needed for access to the [Microsoft 365 admin center](https://admin.microsoft.com): + + +- To enable Update Compliance, edit Update Compliance configuration settings, and view the **Windows** tab in the **Software Updates** page: + - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) + - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) +- To view the **Windows** tab in the **Software Updates** page: + - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) + +> [!NOTE] +> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). diff --git a/windows/deployment/update/includes/update-compliance-onboard-admin-center.md b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md new file mode 100644 index 0000000000..13183b46dd --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md @@ -0,0 +1,23 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/18/2022 +ms.localizationpriority: medium +--- + +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. +1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. +1. In the **Software Updates** page, select the **Windows** tab. +1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](../update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: + + - The Azure subscription + - The Log Analytics workspace +1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Update Compliance data**. +1. After the initial setup is complete, the **Windows** tab will display your Update Compliance data in the charts. + +> [!Tip] +> If you don't see an entry for **Software updates (preview)** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). diff --git a/windows/deployment/update/includes/update-compliance-script-error-codes.md b/windows/deployment/update/includes/update-compliance-script-error-codes.md new file mode 100644 index 0000000000..fa70e9df8b --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-script-error-codes.md @@ -0,0 +1,62 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/18/2022 +ms.localizationpriority: medium +--- + +|Error |Description | +|---------|---------| +| 1 | General unexpected error| +| 6 | Invalid CommercialID| +| 8 | Couldn't create registry key path to set up CommercialID| +| 9 | Couldn't write CommercialID at registry key path| +| 11 | Unexpected result when setting up CommercialID.| +| 12 | CheckVortexConnectivity failed, check Log output for more information.| +| 12 | Unexpected failure when running CheckVortexConnectivity.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 27 | Not system account. | +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 35 | Unexpected exception when checking User Proxy.| +| 37 | Unexpected exception when collecting logs| +| 40 | Unexpected exception when checking and setting telemetry.| +| 41 | Unable to impersonate logged-on user.| +| 42 | Unexpected exception when attempting to impersonate logged-on user.| +| 43 | Unexpected exception when attempting to impersonate logged-on user.| +| 44 | Error when running CheckDiagTrack service.| +| 45 | DiagTrack.dll not found.| +| 48 | CommercialID isn't a GUID| +| 50 | DiagTrack service not running.| +| 51 | Unexpected exception when attempting to run Census.exe| +| 52 | Couldn't find Census.exe| +| 53 | There are conflicting CommercialID values.| +| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 55 | Failed to create new registry path for SetDeviceNameOptIn| +| 56 | Failed to create property for SetDeviceNameOptIn at registry path| +| 57 | Failed to update value for SetDeviceNameOptIn| +| 58 | Unexpected exception in SetrDeviceNameOptIn| +| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| +| 60 | Failed to delete registry key when attempting to clean up OneSettings.| +| 61 | Unexpected exception when attempting to clean up OneSettings.| +| 62 | AllowTelemetry registry key isn't of the correct type REG_DWORD| +| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.| +| 64 | AllowTelemetry isn't of the correct type REG_DWORD.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP.| +| 91 | Failed to create new registry path for EnableAllowUCProcessing| +| 92 | Failed to create property for EnableAllowUCProcessing at registry path| +| 93 | Failed to update value for EnableAllowUCProcessing| +| 94 | Unexpected exception in EnableAllowUCProcessing| +| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline | +| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path | +| 97 | Failed to update value for EnableAllowCommercialDataPipeline | +| 98 | Unexpected exception in EnableAllowCommercialDataPipeline | +| 99 | Device isn't Windows 10.| +| 100 | Device must be AADJ or hybrid AADJ to use Update Compliance | +| 101 | Check AADJ failed with unexpected exception | \ No newline at end of file diff --git a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md new file mode 100644 index 0000000000..d3fdaa9c05 --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md @@ -0,0 +1,43 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/10/2022 +ms.localizationpriority: medium +--- + + +In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: + +1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + 1. Under **View diagnostic data**, select **On** for the following option: + + - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** + - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** + +1. Select **Open Diagnostic Data Viewer**. + - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. + - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. + +1. Check for software updates on the client device. + - Windows 11: + 1. Go to **Start**, select **Settings** > **Windows Update**. + 1. Select **Check for updates** then wait for the update check to complete. + - Windows 10: + 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. + 1. Select **Check for updates** then wait for the update check to complete. + +1. Run the **Diagnostic Data Viewer**. + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. +1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: + - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for the [preview version of Updates Compliance](../update-compliance-v2-overview.md), but the value may still be listed in this field. + - The **MSP** field value under **protocol** should be either `16` or `18`. + - If you need to send this data to Microsoft Support, select **Export data**. + + :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="../media/update-compliance-diagnostic-data-viewer.png" lightbox="../media/update-compliance-diagnostic-data-viewer.png"::: + diff --git a/windows/deployment/update/media/33771278-overall-security-update-status.png b/windows/deployment/update/media/33771278-overall-security-update-status.png new file mode 100644 index 0000000000..49d634956c Binary files /dev/null and b/windows/deployment/update/media/33771278-overall-security-update-status.png differ diff --git a/windows/deployment/update/media/33771278-update-compliance-feedback.png b/windows/deployment/update/media/33771278-update-compliance-feedback.png new file mode 100644 index 0000000000..bab180d192 Binary files /dev/null and b/windows/deployment/update/media/33771278-update-compliance-feedback.png differ diff --git a/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png b/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png new file mode 100644 index 0000000000..bf5f0272ac Binary files /dev/null and b/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png differ diff --git a/windows/deployment/update/media/33771278-update-deployment-status-table.png b/windows/deployment/update/media/33771278-update-deployment-status-table.png new file mode 100644 index 0000000000..4ee85fcc56 Binary files /dev/null and b/windows/deployment/update/media/33771278-update-deployment-status-table.png differ diff --git a/windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png b/windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png new file mode 100644 index 0000000000..7f1dddf600 Binary files /dev/null and b/windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png differ diff --git a/windows/deployment/update/media/docs-feedback.png b/windows/deployment/update/media/docs-feedback.png new file mode 100644 index 0000000000..2c6afbc101 Binary files /dev/null and b/windows/deployment/update/media/docs-feedback.png differ diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 3f1840da1b..c301863138 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -42,7 +42,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e | Policy | Data type | Value | Function | |--------------------------|-|-|------------------------------------------------------------| |**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | -|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. For more information, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). | |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | | **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index bb275f2935..15c207cf56 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -40,7 +40,7 @@ This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`): 1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`. -2. Set `commercialIDValue` to your Commercial ID. +2. Set `setCommercialID=true` and set the `commercialIDValue` to your [Commercial ID](update-compliance-get-started.md#get-your-commercialid). 3. Run the script. 4. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 5. If there are issues, gather the logs and provide them to Support. @@ -48,87 +48,10 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru ## Script errors -|Error |Description | -|---------|---------| -| 1 | General unexpected error| -| 6 | Invalid CommercialID| -| 8 | Couldn't create registry key path to setup CommercialID| -| 9 | Couldn't write CommercialID at registry key path| -| 11 | Unexpected result when setting up CommercialID.| -| 12 | CheckVortexConnectivity failed, check Log output for more information.| -| 12 | Unexpected failure when running CheckVortexConnectivity.| -| 16 | Reboot is pending on device, restart device and restart script.| -| 17 | Unexpected exception in CheckRebootRequired.| -| 27 | Not system account. | -| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| -| 34 | Unexpected exception when attempting to check Proxy settings.| -| 35 | Unexpected exception when checking User Proxy.| -| 37 | Unexpected exception when collecting logs| -| 40 | Unexpected exception when checking and setting telemetry.| -| 41 | Unable to impersonate logged-on user.| -| 42 | Unexpected exception when attempting to impersonate logged-on user.| -| 43 | Unexpected exception when attempting to impersonate logged-on user.| -| 44 | Error when running CheckDiagTrack service.| -| 45 | DiagTrack.dll not found.| -| 48 | CommercialID is not a GUID| -| 50 | DiagTrack service not running.| -| 51 | Unexpected exception when attempting to run Census.exe| -| 52 | Could not find Census.exe| -| 53 | There are conflicting CommercialID values.| -| 54 | Microsoft account (MSA) Sign In Assistant Service disabled.| -| 55 | Failed to create new registry path for SetDeviceNameOptIn| -| 56 | Failed to create property for SetDeviceNameOptIn at registry path| -| 57 | Failed to update value for SetDeviceNameOptIn| -| 58 | Unexpected exception in SetrDeviceNameOptIn| -| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| -| 60 | Failed to delete registry key when attempting to clean up OneSettings.| -| 61 | Unexpected exception when attempting to clean up OneSettings.| -| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD| -| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| -| 64 | AllowTelemetry is not of the correct type REG_DWORD.| -| 66 | Failed to verify UTC connectivity and recent uploads.| -| 67 | Unexpected failure when verifying UTC CSP.| -| 91 | Failed to create new registry path for EnableAllowUCProcessing| -| 92 | Failed to create property for EnableAllowUCProcessing at registry path| -| 93 | Failed to update value for EnableAllowUCProcessing| -| 94 | Unexpected exception in EnableAllowUCProcessing| -| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline | -| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path | -| 97 | Failed to update value for EnableAllowCommercialDataPipeline | -| 98 | Unexpected exception in EnableAllowCommercialDataPipeline | -| 99 | Device is not Windows 10.| - + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)] ## Verify device configuration - -In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: - -1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **On** for the following option: - - - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** - - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** - -1. Select **Open Diagnostic Data Viewer**. - - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. - - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. - -1. Check for software updates on the client device. - - Windows 11: - 1. Go to **Start**, select **Settings** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - - Windows 10: - 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - -1. Run the **Diagnostic Data Viewer**. - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. -1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: - - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-get-started.md#get-your-commercialid) of your Log Analytics workspace for Update Compliance. - - The **MSP** field value under **protocol** should be either `16` or `18`. - - If you need to send this data to Microsoft Support, select **Export data**. - - :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png"::: + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)]: diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 2497f639dc..3449a9e3ff 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -40,7 +40,7 @@ Before you begin the process to add Update Compliance to your Azure subscription - **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). - **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). - **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). -- **Azure AD device join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022. +- **Azure AD device join** or **hybrid Azure AD join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022. ## Add Update Compliance to your Azure subscription @@ -92,19 +92,22 @@ Once the solution is in place, you can leverage one of the following Azure roles > [!NOTE] > It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription. - + ### Get your CommercialID -A CommercialID is a globally unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment. +A `CommercialID` is a globally unique identifier assigned to a specific Log Analytics workspace. The `CommercialID` is copied to an MDM or Group Policy and is used to identify devices in your environment. The `Commercial ID` directs your clients to the Update Compliance solution in your Log Analytics workspace. You'll need this ID when you configure clients to send data to Update Compliance. -To find your CommercialID within Azure: +1. If needed, sign into the [Azure portal](https://portal.azure.com). +1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. +1. Select **Log Analytics workspaces**. +1. Select the Log Analytics workspace that you added the Update Compliance solution to. +1. Select **Solutions** from the Log Analytics workspace, then select **WaaSUpdateInsights(<Log Analytics workspace name>)** to go to the summary page for the solution. +1. Select **Update Compliance Settings** from the **WaaSUpdateInsights(<Log Analytics workspace name>)** summary page. +1. The **Commercial Id Key** is listed in the text box with an option to copy the ID. The **Commercial Id Key** is commonly referred to as the `CommercialID` or **Commercial ID** in Update Compliance. -1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. -2. From there, select the Update Compliance Settings page on the navbar. -3. Your CommercialID is available in the settings page. + > [!Warning] + > Regenerate a Commercial ID only if your original ID can no longer be used. Regenerating a Commercial ID requires you to deploy the new commercial ID to your computers in order to continue to collect data and can result in data loss. -> [!IMPORTANT] -> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices. ## Enroll devices in Update Compliance diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index ec78a072db..80aca45d8a 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -22,7 +22,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on |**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). | |**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. | |**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. | -|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:

  • **Update completed**: Device has completed the update installation.
  • **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
  • **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
  • **Canceled**: The update was canceled.
  • **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
  • **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
  • **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
  • **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.| +|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
  • **Update completed**: Device has completed the update installation.
  • **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
  • **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
  • **Canceled**: The update was canceled.
  • **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
  • **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
  • **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
  • **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.
  • **Progress stalled**: The update is in progress, but has not completed over a period of 7 days.| |**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
  • **Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds
  • **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
  • **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
  • **Update offered**: The device has been offered the update, but hasn't begun downloading it.
  • **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
  • **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
  • **Download started**: The update has begun downloading on the device.
  • **Download Succeeded**: The update has successfully completed downloading.
  • **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
  • **Install Started**: Installation of the update has begun.
  • **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
  • **Reboot Pending**: The device has a scheduled reboot to apply the update.
  • **Reboot Initiated**: The scheduled reboot has been initiated.
  • **Commit**: Changes are being committed post-reboot. This is another step of the installation process.
  • **Update Completed**: The update has successfully installed.| |**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. | |**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. | diff --git a/windows/deployment/update/update-compliance-v2-configuration-manual.md b/windows/deployment/update/update-compliance-v2-configuration-manual.md index 708fcce0bf..07c449792b 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-manual.md +++ b/windows/deployment/update/update-compliance-v2-configuration-manual.md @@ -17,7 +17,8 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. There are a number of requirements to consider when manually configuring devices for Update Compliance. These requirements can potentially change with newer versions of Windows client. The [Update Compliance configuration script](update-compliance-v2-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. @@ -42,7 +43,6 @@ Each MDM Policy links to its documentation in the configuration service provider | Policy | Data type | Value | Function | |--------------------------|-|-|------------------------------------------------------------| -|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-v2-enable.md#bkmk_id) |Identifies the device as belonging to your organization. | |**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and won't be visible in Update Compliance, showing `#` instead. | @@ -55,7 +55,6 @@ All Group policies that need to be configured for Update Compliance are under ** | Policy | Value | Function | |---------------------------|-|-----------------------------------------------------------| -|**Configure the Commercial ID** |[Your CommercialID](update-compliance-v2-enable.md#bkmk_id) | Identifies the device as belonging to your organization. | |**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure telemetry opt-in setting user interface**. | |**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Update Compliance, showing `#` instead. | diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index 1a6b98c90c..765128a9dc 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -9,7 +9,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 08/24/2022 --- # Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) @@ -17,7 +17,8 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Endpoint Manager](/mem/endpoint-manager-overview))*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: @@ -28,54 +29,79 @@ This article is specifically targeted at configuring devices enrolled to [Micros ## Create a configuration profile -Take the following steps to create a configuration profile that will set required policies for Update Compliance: +Create a configuration profile that will set the required policies for Update Compliance. There are two profile types that can be used to create a configuration profile for Update Compliance: +- The [settings catalog](#settings-catalog) +- [Template](#custom-oma-uri-based-profile) for a custom OMA URI based profile -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. -1. On the **Configuration profiles** view, select **Create a profile**. +### Settings catalog + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. On the **Configuration profiles** view, select **Create profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**. +1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values: + 1. Required settings for Update Compliance: + - **Setting**: Allow Commercial Data Pipeline + - **Value**: Enabled + - **Setting**: Allow Telemetry + - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) + - **Setting**: Allow Update Compliance Processing + - **Value**: Enabled + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Setting**: Configure Telemetry Opt In Change Notification + - **Value**: Disable telemetry change notifications + - **Setting**: Configure Telemetry Opt In Settings Ux + - **Value**: Disable Telemetry opt-in Settings + 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance: + - **Setting**: Allow device name to be sent in Windows diagnostic data + - **Value**: Allowed + +1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +1. Review the settings and then select **Create**. + +### Custom OMA URI based profile + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". -1. For **Template name**, select **Custom**, and then press **Create**. +1. For **Template name**, select **Custom**, and then select **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). - 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-v2-enable.md#bkmk_id). - 1. Add a setting for **Commercial ID** with the following values: - - **Name**: Commercial ID - - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - - **Data type**: String - - **Value**: *Set this value to your Commercial ID* + + 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: + - **Name**: Allow commercial data pipeline + - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` + - **Data type**: Integer + - **Value**: 1 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). - 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - - **Name**: Disable Telemetry opt-in interface - - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` - - **Data type**: Integer - - **Value**: 1 - 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: - - **Name**: Allow device name in Diagnostic Data - - **Description**: Allows device name in Diagnostic Data. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - - **Data type**: Integer - - **Value**: 1 + - **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*). 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: - **Name**: Allow Update Compliance Processing - **Description**: Opts device data into Update Compliance processing. Required to see data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 - 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: - - **Name**: Allow commercial data pipeline - - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Name**: Disable Telemetry opt-in interface + - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` + - **Data type**: Integer + - **Value**: 1 + 1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Update Compliance: + - **Name**: Allow device name in Diagnostic Data + - **Description**: Allows device name in Diagnostic Data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 + 1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -1. Review and select **Create**. +1. Review the settings and then select **Create**. ## Deploy the configuration script diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md index aafe9ff807..ce8b8ff96b 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-script.md +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -17,7 +17,8 @@ ms.date: 06/16/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-v2-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. @@ -42,95 +43,21 @@ This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`): 1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`. -1. Set `commercialIDValue` to your [Commercial ID](update-compliance-v2-enable.md#bkmk_id) for the Update Compliance solution. +1. Don't modify the [Commercial ID](update-compliance-get-started.md#get-your-commercialid) values since they're used for the earlier version of Update Compliance. Leave `setCommercialID=false` and the `commercialIDValue=Unknown`. 1. Run the script. 1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 1. If there are issues, gather the logs and provide them to Microsoft Support. ## Verify device configuration -In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: - -1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **On** for the following option: - - - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** - - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** - -1. Select **Open Diagnostic Data Viewer**. - - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. - - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. - -1. Check for software updates on the client device. - - Windows 11: - 1. Go to **Start**, select **Settings** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - - Windows 10: - 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - -1. Run the **Diagnostic Data Viewer**. - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. -1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: - - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-v2-enable.md#bkmk_id) of your Log Analytics workspace for Update Compliance. - - The **MSP** field value under **protocol** should be either `16` or `18`. - - If you need to send this data to Microsoft Support, select **Export data**. - - :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png"::: + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)] ## Script errors -|Error |Description | -|---------|---------| -| 1 | General unexpected error| -| 6 | Invalid CommercialID| -| 8 | Couldn't create registry key path to set up CommercialID| -| 9 | Couldn't write CommercialID at registry key path| -| 11 | Unexpected result when setting up CommercialID.| -| 12 | CheckVortexConnectivity failed, check Log output for more information.| -| 12 | Unexpected failure when running CheckVortexConnectivity.| -| 16 | Reboot is pending on device, restart device and restart script.| -| 17 | Unexpected exception in CheckRebootRequired.| -| 27 | Not system account. | -| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| -| 34 | Unexpected exception when attempting to check Proxy settings.| -| 35 | Unexpected exception when checking User Proxy.| -| 37 | Unexpected exception when collecting logs| -| 40 | Unexpected exception when checking and setting telemetry.| -| 41 | Unable to impersonate logged-on user.| -| 42 | Unexpected exception when attempting to impersonate logged-on user.| -| 43 | Unexpected exception when attempting to impersonate logged-on user.| -| 44 | Error when running CheckDiagTrack service.| -| 45 | DiagTrack.dll not found.| -| 48 | CommercialID isn't a GUID| -| 50 | DiagTrack service not running.| -| 51 | Unexpected exception when attempting to run Census.exe| -| 52 | Couldn't find Census.exe| -| 53 | There are conflicting CommercialID values.| -| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| -| 55 | Failed to create new registry path for SetDeviceNameOptIn| -| 56 | Failed to create property for SetDeviceNameOptIn at registry path| -| 57 | Failed to update value for SetDeviceNameOptIn| -| 58 | Unexpected exception in SetrDeviceNameOptIn| -| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| -| 60 | Failed to delete registry key when attempting to clean up OneSettings.| -| 61 | Unexpected exception when attempting to clean up OneSettings.| -| 62 | AllowTelemetry registry key isn't of the correct type REG_DWORD| -| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.| -| 64 | AllowTelemetry isn't of the correct type REG_DWORD.| -| 66 | Failed to verify UTC connectivity and recent uploads.| -| 67 | Unexpected failure when verifying UTC CSP.| -| 91 | Failed to create new registry path for EnableAllowUCProcessing| -| 92 | Failed to create property for EnableAllowUCProcessing at registry path| -| 93 | Failed to update value for EnableAllowUCProcessing| -| 94 | Unexpected exception in EnableAllowUCProcessing| -| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline | -| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path | -| 97 | Failed to update value for EnableAllowCommercialDataPipeline | -| 98 | Unexpected exception in EnableAllowCommercialDataPipeline | -| 99 | Device isn't Windows 10.| + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)] + ## Next steps diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md index 313d748f40..2125392ab8 100644 --- a/windows/deployment/update/update-compliance-v2-enable.md +++ b/windows/deployment/update/update-compliance-v2-enable.md @@ -16,18 +16,23 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are met, you can start to set up Update Compliance. The two main steps for setting up the Update Compliance solution are: 1. [Add Update Compliance](#bkmk_add) to your Azure subscription. This step has the following two phases: 1. [Select or create a new Log Analytics workspace](#bkmk_workspace) for use with Update Compliance. 1. [Add the Update Compliance solution](#bkmk_solution) to the Log Analytics workspace. + 1. [Configure Update Compliance](#bkmk_admin-center) from the Microsoft 365 admin center. + 1. Configure the clients to send data to Update compliance. You can configure clients in the following three ways: - Use a [script](update-compliance-v2-configuration-script.md) - Use [Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) - Configure [manually](update-compliance-v2-configuration-manual.md) +> [!IMPORTANT] +> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. ## Add Update Compliance to your Azure subscription Before you configure clients to send data, you'll need to add the Update Compliance solution to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll add the Update Compliance solution to the workspace. @@ -63,27 +68,19 @@ Update Compliance is offered as an Azure Marketplace application that's linked t > [!Note] > - You can only map one tenant to one Log Analytics workspace. Mapping one tenant to multiple workspaces isn't supported. -> - If you change the Log Analytics workspace for Update Compliance, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. +> - If you change the Log Analytics workspace for Update Compliance, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. You will also need to reconfigure the Update Compliance settings in the Microsoft 365 admin center. -### Get the Commercial ID for the Update Compliance solution +### Configure Update Compliance settings through the Microsoft 365 admin center -The **Commercial ID** directs your clients to the Update Compliance solution in your Log Analytics workspace. You'll need this ID when you configure clients to send data to Update Compliance. +Finish enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. This step is needed even if you enabled earlier previews of Update Compliance. -1. If needed, sign into the [Azure portal](https://portal.azure.com). -1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. -1. Select **Log Analytics workspaces**. -1. Select the Log Analytics workspace that you added the Update Compliance solution to. -1. Select **Solutions** from the Log Analytics workspace, then select **WaaSUpdateInsights(<Log Analytics workspace name>)** to go to the summary page for the solution. -1. Select **Update Compliance Settings** from the **WaaSUpdateInsights(<Log Analytics workspace name>)** summary page. -1. The **Commercial Id Key** is listed in the text box with an option to copy the ID. The **Commercial Id Key** is commonly referred to as the `CommercialID` or **Commercial ID** in Update Compliance. - - > [!Warning] - > Regenerate a Commercial ID only if your original ID can no longer be used. Regenerating a Commercial ID requires you to deploy the new commercial ID to your computers in order to continue to collect data and can result in data loss. + +[!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)] ## Next steps -Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. Enroll devices into Update Compliance using any of the following methods: +Once you've added Update Compliance to a workspace in your Azure subscription and configured the settings through the Microsoft 365 admin center, you'll need to configure any devices you want to monitor. Enroll devices into Update Compliance using any of the following methods: - [Configure clients with a script](update-compliance-v2-configuration-script.md) - [Configure clients manually](update-compliance-v2-configuration-manual.md) diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md new file mode 100644 index 0000000000..871ce3464e --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -0,0 +1,110 @@ +--- +title: Update Compliance (preview) feedback, support, and troubleshooting +ms.reviewer: +manager: dougeby +description: Update Compliance (preview) support information. +ms.prod: w10 +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 08/10/2022 +--- + +# Update Compliance (preview) feedback, support, and troubleshooting + + +***(Applies to: Windows 11 & Windows 10)*** + +> [!IMPORTANT] +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +There are several resources that you can use to find help with Update Compliance. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Update Compliance: + +- Send [product feedback about Update Compliance](#send-product-feedback) +- Open a [Microsoft support case](#open-a-microsoft-support-case) + +- [Documentation feedback](#documentation-feedback) +- [Troubleshooting tips](#troubleshooting-tips) for Update Compliance +- Follow the [Windows IT Pro blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) to learn about upcoming changes to Update Compliance +- Use Microsoft Q&A to [ask product questions](/answers/products/) + +## Send product feedback + +Use the product feedback option to offer suggestions for new features and functionality, or for suggesting changes to the current Update Compliance features. You can share feedback directly to the Update Compliance product group. To provide product feedback: + +1. In the upper right corner of the Azure portal, select the feedback icon. +1. Select either the smile or the frown to rate your satisfaction with your experience. +1. In the text box, describe what you did or didn't like. When providing feedback about a problem, be sure to include enough detail in your description so it can be properly identified by the product group. +1. Choose if you'd like to allow Microsoft to email you about your feedback. +1. Select **Submit feedback** when you've completed the feedback form. +:::image type="content" source="media/33771278-update-compliance-feedback.png" alt-text="Screenshot of the Azure portal showing the product feedback option flyout." lightbox="media/33771278-update-compliance-feedback.png"::: + +## Open a Microsoft support case + +You can open support requests directly from the Azure portal. If the **Help + Support** page doesn't display, verify you have access to open support requests. For more information about role-based access controls for support requests, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). To create a new support request for Update Compliance: + +1. Open the **Help + Support** page from the following locations: + - In the [Send product feedback](#send-product-feedback) flyout, select the **contact support** link. + - From the Azure portal, select **New support request** under the **Support + Troubleshooting** heading. +1. Select **Create a support request** which opens the new support request page. +1. On the **Problem description** tab, provide information about the issue. The below items in ***bold italics*** should be used to help ensure an Update Compliance engineer receives your support request: + - **Summary** - Brief description of the issue + - **Issue type** - ***Technical*** + - **Subscription** - Select the subscription used for Update Compliance + - **Service** - ***My services*** + - **Service type** - ***Log Analytics*** + - **Problem type** - ***Solutions or Insights*** + - **Problem subtype** - ***Update Compliance*** +1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem. +1. Complete the **Additional details** tab and then create the request on the **Review + create** tab. + +## Documentation feedback + +Select the **Feedback** link in the upper right of any article to go to the Feedback section at the bottom. Feedback is integrated with GitHub Issues. For more information about this integration with GitHub Issues, see the [docs platform blog post](/teamblog/a-new-feedback-system-is-coming-to-docs). + +:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section on a docs article."::: + +To share docs feedback about the current article, select **This page**. A [GitHub account](https://github.com/join) is a prerequisite for providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body, but don't modify the document details section. Then select **Submit new issue** to file a new issue for the target article in the [Windows-ITPro-docs GitHub repository](https://github.com/MicrosoftDocs/windows-itpro-docs/issues). + +To see whether there's already feedback for this article, select **View all page feedback**. This action opens a GitHub issue query for this article. By default it displays both open and closed issues. Review any existing feedback before you submit a new issue. If you find a related issue, select the face icon to add a reaction, add a comment to the thread, or **Subscribe** to receive notifications. + +Use GitHub Issues to submit the following types of feedback: + +- Doc bug: The content is out of date, unclear, confusing, or broken. +- Doc enhancement: A suggestion to improve the article. +- Doc question: You need help with finding existing documentation. +- Doc idea: A suggestion for a new article. +- Kudos: Positive feedback about a helpful or informative article. +- Localization: Feedback about content translation. +- Search engine optimization (SEO): Feedback about problems searching for content. Include the search engine, keywords, and target article in the comments. + +If you create an issue for something not related to documentation, Microsoft will close the issue and redirect you to a better feedback channel. For example: + +- [Product feedback](#send-product-feedback) for Update Compliance +- [Product questions (using Microsoft Q&A)](/answers/products/) +- [Support requests](#open-a-microsoft-support-case) for Update Compliance + +To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. + +## Troubleshooting tips + +Use the troubleshooting tips below to resolve commonly encountered problems when using Update Compliance: + +### Verify client configuration + + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)] + +### Ensuring devices are configured correctly to send data + +The first step in troubleshooting Update Compliance is ensuring that devices are configured. Review [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md) for the settings. We recommend using the [Update Compliance configuration script](update-compliance-v2-configuration-script.md) for troubleshooting and configuring devices. + +### Devices have been correctly configured but aren't showing up in Update Compliance + +It takes some time for data to appear in Update Compliance for the first time or if you moved to a new Log Analytics workspace. To learn more about data latencies for Update Compliance, review [Update Compliance data latency](update-compliance-v2-use.md#update-compliance-data-latency). + +### Devices are appearing, but without a device name + +Device Name is an opt-in via policy starting in Windows 10 version 1803. Review the required policies for enabling device name in the [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md) article. diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index dcd9c0e7c9..ee51d8c204 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -8,7 +8,7 @@ author: mestew ms.author: mstewart ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 08/09/2022 --- # Update Compliance overview @@ -16,25 +16,29 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory-joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you: - Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues -- Review [Delivery Optimization](../do/waas-delivery-optimization.md) bandwidth savings across multiple content types +- Analyze and display your data in multiple ways -## Technical preview information for Update Compliance -The new version of Update Compliance is in technical preview. Some of the benefits of this new version include: +## Preview information for Update Compliance + +The new version of Update Compliance is in preview. Some of the benefits of this new version include: - Integration with [Windows Update for Business deployment service](deployment-service-overview.md) to enable per deployment reporting, monitoring, and troubleshooting. - Compatibility with [Feature updates](/mem/intune/protect/windows-10-feature-updates) and [Expedite Windows quality updates](/mem/intune/protect/windows-10-expedite-updates) policies in Intune. - A new **Alerts** data type to assist you with identifying devices that encounter issues during the update process. Error code information is provided to help troubleshoot update issues. -Currently, the technical preview contains the following features: +Currently, the preview contains the following features: -- Access to the following new Update Compliance tables: +- [Update Compliance workbook](update-compliance-v2-workbook.md) +- Update Compliance status [charts in the Microsoft 365 admin](update-status-admin-center.md) +- Access to the following new [Update Compliance tables](update-compliance-v2-schema.md): - UCClient - UCClientReadinessStatus - UCClientUpdateStatus @@ -43,10 +47,14 @@ Currently, the technical preview contains the following features: - UCUpdateAlert - Client data collection to populate the new Update Compliance tables +Currently, these new tables are available to all Updates Compliance users. They will be displayed along with the original Updates Compliance tables. + :::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png"::: -> [!IMPORTANT] -> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. +## Limitations + +Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. + ## How Update Compliance works @@ -69,6 +77,8 @@ Since the data from your clients is stored in a Log Analytics workspace, you can - [Power BI](/azure/azure-monitor/logs/log-powerbi) - Other tools for [querying the data](/azure/azure-monitor/logs/log-query-overview) + + ## Next steps - Review the [Update Compliance prerequisites](update-compliance-v2-prerequisites.md) diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md index 88cfdcb10b..31c046a6b0 100644 --- a/windows/deployment/update/update-compliance-v2-prerequisites.md +++ b/windows/deployment/update/update-compliance-v2-prerequisites.md @@ -16,8 +16,8 @@ ms.date: 06/30/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. -> - Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. ## Update Compliance prerequisites @@ -66,15 +66,9 @@ For more information about what's included in different diagnostic levels, see [ > [!NOTE] > Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription. -## Microsoft 365 admin center permissions (currently optional) - -When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also needed: - -- To configure settings and view the **Software Updates** page: - - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) - - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) -- To view the **Software Updates** page: - - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) +## Microsoft 365 admin center permissions + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-admin-center-permissions.md)] ## Log Analytics prerequisites diff --git a/windows/deployment/update/update-compliance-v2-schema.md b/windows/deployment/update/update-compliance-v2-schema.md index ce8c149ee1..add12d9e62 100644 --- a/windows/deployment/update/update-compliance-v2-schema.md +++ b/windows/deployment/update/update-compliance-v2-schema.md @@ -16,7 +16,8 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more. diff --git a/windows/deployment/update/update-compliance-v2-use.md b/windows/deployment/update/update-compliance-v2-use.md index c136aeae12..9326548d4f 100644 --- a/windows/deployment/update/update-compliance-v2-use.md +++ b/windows/deployment/update/update-compliance-v2-use.md @@ -1,8 +1,8 @@ --- -title: Use the Update Compliance (preview) solution +title: Use the Update Compliance (preview) data ms.reviewer: manager: dougeby -description: How to use the Update Compliance (preview) solution. +description: How to use the Update Compliance (preview) data. ms.prod: w10 author: mestew ms.author: mstewart diff --git a/windows/deployment/update/update-compliance-v2-workbook.md b/windows/deployment/update/update-compliance-v2-workbook.md new file mode 100644 index 0000000000..a781782920 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-workbook.md @@ -0,0 +1,149 @@ +--- +title: Use the workbook for Update Compliance (preview) +ms.reviewer: +manager: dougeby +description: How to use the Update Compliance (preview) workbook. +ms.prod: w10 +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 08/10/2022 +--- + +# Update Compliance (preview) workbook + +***(Applies to: Windows 11 & Windows 10)*** + +> [!IMPORTANT] +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +[Update Compliance](update-compliance-v2-overview.md) presents information commonly needed by updates administrators in an easy to use format. Update Compliance uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into three tab sections: + +- [Summary](#summary-tab) +- [Quality updates](#quality-updates-tab) +- [Feature updates](#feature-updates-tab) + +:::image type="content" source="media/33771278-update-compliance-workbook-summary.png" alt-text="Screenshot of the summary tab in the Update Compliance workbook with the three tabbed sections outlined in red." lightbox="media/33771278-update-compliance-workbook-summary.png"::: + +## Open the Update Compliance workbook + +To access the Update Compliance workbook: + +1. In the [Azure portal](https://portal.azure.com), select **Monitor** > **Workbooks** from the menu bar. + - You can also type **Monitor** in the search bar. As you begin typing, the list filters based on your input. + +1. When the gallery opens, select the **Update Compliance** workbook. If needed, you can filter workbooks by name in the gallery. +1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Update Compliance](update-compliance-v2-enable.md). + +## Summary tab + +The **Summary** tab gives you a brief high-level overview of the devices that you've enrolled into Update Compliance. The **Summary** tab contains tiles above the **Overall security update status** chart. + +### Summary tab tiles + +Each of these tiles contains an option to **View details**. When **View details** is selected for a tile, a flyout appears with additional information. + +:::image type="content" source="media/33771278-workbook-summary-tab-tiles.png" alt-text="Screenshot of the summary tab tiles in the Update Compliance workbook"::: + +| Tile name | Description | View details description | +|---|---|------| +| **Enrolled devices** | Total number of devices that are enrolled into Update Compliance | Displays multiple charts about the operating systems (OS) for enrolled devices:
    **OS Version**
    **OS Edition**
    **OS Servicing Channel**
    **OS Architecture**| +|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each.

    Select the count of **Devices** to display a table of the devices. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).

    Select an **AlertSubtype** to display a list containing:
    - Each **Error Code** in the alert subtype
    - A **Description** of the error code
    - A **Recommendation** to help you remediate the error code
    - A count of **Devices** with the specific error code | +| **Windows 11 eligibility** | Percentage of devices that are capable of running Windows 11 | Displays the following items:
    - **Windows 11 Readiness Status** chart
    - **Readiness Reason(s) Breakdown** chart that displays Windows 11 requirements that aren't met.
    - A table for **Readiness reason**. Select a reason to display a list of devices that don't meet a specific requirement for Windows 11. | + +### Summary tab charts + +The charts displayed in the **Summary** tab give you a general idea of the overall status of your devices. The two charts displayed include: + +- **Overall security update status**: Gives you general insight into of the current update compliance state of your enrolled devices. For instance, if the chart shows a large number of devices are missing multiple security updates, it may indicate an issue in the software update process. + +- **Feature update status**: Gives you a general understanding of how many devices are eligible for feature updates based on the operating system lifecycle. + +:::image type="content" source="media/33771278-overall-security-update-status.png" alt-text="Screenshot of the charts in the workbook's summary tab" lightbox="media/33771278-overall-security-update-status.png"::: + +## Quality updates tab + +The **Quality updates** tab displays generalized data at the top by using tiles. The quality update data becomes more specific as you navigate lower in this tab. The top of the **Quality updates** tab contains tiles with the following information: + +- **Devices count**: Count of devices that have reported at least one security update is or was applicable and offered in the past 30 days, regardless of installation state of the update. +- **Latest security update**: Count of devices that have installed the latest security update. +- **Security update status**: Count of devices that haven't installed a security update released within the last 60 days. +- **Total alerts**: Count of active alerts that are for quality updates. + +Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end-users are impacted. + +### Update status group for quality updates + +The **Update status** group for quality updates contains the following items: + +- **Update states for all security releases**: Chart containing the number of devices in a specific state, such as installing, for security updates. +- **Update states for the latest security releases**: Chart containing the number of devices in a specific state for the most recent security update. +- **Update alerts for all security releases**: Chart containing the count of active errors and warnings for security updates. + +:::image type="content" source="media/33771278-update-deployment-status-table.png" alt-text="Screenshot of the charts and table in the workbook's quality updates tab" lightbox="media/33771278-update-deployment-status-table.png"::: + +The **Update deployment status** table displays the quality updates for each operating system version that were released within the last 60 days. For each update, drill-in further by selecting a value from the following columns: + +| Column name | Description | Drill-in description | +|---|---|---| +|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. +| **KB Number** | KB number for the update | Selecting the KB number will open the support information webpage for the update.| +| **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | + +### Device status group for quality updates + +The **Device status** group for quality updates contains the following items: + +- **OS build number**: Chart containing a count of devices by OS build that are getting security updates. +- **Target version**: Chart containing how many devices by operating system version that are getting security updates. +- **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Feature updates tab + +The **Feature updates** tab displays generalized data at the top by using tiles. The feature update data becomes more specific as you navigate lower in this tab. The top of the **Feature updates** tab contains tiles with the following information: + +- **Devices count**: Count of devices that have reported a feature update is or was applicable and offered in the past 30 days, regardless of installation state of the update. +- **Feature update status**: Count of the devices that installed a feature update in the past 30 days. +- **End Of Service**: Count of devices running an operating system version that no longer receives feature updates. For more information, see the [Windows lifecycle FAQ](/lifecycle/faq/windows). +- **Nearing EOS** Count of devices that are within 18 months of their end of service date. +- **Total alerts**: Count of active alerts that are for feature updates. + +Just like the [**Quality updates** tab](#quality-updates-tab), the **Feature updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. + +### Update status group for feature updates + +The **Update status** group for feature updates contains the following items: + +- **Target version**: Chart containing count of devices per targeted operating system version. +- **Safeguard holds**: Chart containing count of devices per operating system version that are under a safeguard hold for a feature update +- **Update alerts**: Chart containing the count of active errors and warnings for feature updates. + +**Update deployment status** table for feature updates displays the installation status by targeted operating system version. For each operating system version targeted the following columns are available: + +| Column name | Description | Drill-in description | +|---|---|---| +| **Total progress** | Percentage of devices that installed the targeted operating system version feature update within the last 30 days. | A bar graph is included in this column. Use the **Total devices** drill-in for additional information. | +|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. | +| **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | + +### Device status group for feature updates + +The **Device status** group for feature updates contains the following items: + +- **Windows 11 readiness status**: Chart containing how many devices that have a status of capable, not capable, or unknown for Windows 11 readiness. +- **Device alerts**: Count of active alerts for feature updates in each alert classification. +- **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Customize the workbook + +Since the Update Compliance workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started). + + +## Next steps + +- Explore the [Update Compliance (preview) schema](update-compliance-v2-schema.md) +- Review [Feedback, support, and troubleshooting](update-compliance-v2-help.md) information for Update Compliance diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/update-status-admin-center.md index 71e40f2c64..08f6787ea7 100644 --- a/windows/deployment/update/update-status-admin-center.md +++ b/windows/deployment/update/update-status-admin-center.md @@ -30,15 +30,9 @@ The **Software updates** page has following tabs to assist you in monitoring upd :::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png"::: -## Prerequisites - -- [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution -- An appropriate role assigned for the [Microsoft 365 admin center](https://admin.microsoft.com) - - To configure settings and view the **Software Updates** page: - - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) - - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) - - To view the **Software Updates** page: - - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) +## Permissions + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-admin-center-permissions.md)] ## Limitations @@ -47,18 +41,9 @@ Update Compliance is a Windows service hosted in Azure that uses Windows diagnos ## Get started -1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. -1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. -1. In the **Software Updates** page, select the **Windows** tab. -1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: - - The Azure subscription - - The Log Analytics workspace -1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Update Compliance data**. -1. After the initial setup is complete, the **Windows** tab will display your Update Compliance data in the charts. - -> [!Tip] -> If you don't see an entry for **Software updates (preview)** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). + +[!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)] ## The Windows tab diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 1918ed5246..52c86e776b 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -25,6 +25,9 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> [!NOTE] +> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/). + You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md deleted file mode 100644 index ffe3f4ae21..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**. - -**For Delivery Optimization metadata**: - -- *.dl.delivery.mp.microsoft.com -- *.emdl.ws.microsoft.com - -**For the payloads (optional)**: - -- *.download.windowsupdate.com -- *.windowsupdate.com - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 3a04bb79e1..63c12060d0 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -39,7 +39,7 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi ### Application compatibility -Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. . +Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](/mem/configmgr/desktop-analytics/ready-for-windows). @@ -108,7 +108,7 @@ Specialized systems—such as devices that control medical equipment, point-of-s > > The Long-term Servicing channel is not intended for deployment on most or all the devices in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the General Availability channel. -Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSC. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a the product lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product lifecycle information](/lifecycle/products/) page. +Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSC. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over the product's lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product's lifecycle information](/lifecycle/products/) page. > [!NOTE] > LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows). diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index f198383a31..4604ac1c8e 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -98,9 +98,9 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati ### Do not connect to any Windows Update Internet locations -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. +Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update, the Microsoft Store, or the Microsoft Store for Business. -Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working. +Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Microsoft Store for Business, Windows Update for Business, and Delivery Optimization to stop working. >[!NOTE] >This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 7da37ac391..cf390b0f9a 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -7,7 +7,6 @@ ms.author: aaroncz manager: dougeby ms.reviewer: kaushika ms.topic: troubleshooting -ms.custom: seo-marvel-apr2020 ms.collection: highpri --- @@ -18,6 +17,8 @@ ms.collection: highpri - Windows 10 - Windows 11 +

    Try our Virtual Agent - It can help you quickly identify and fix common Windows Update issues + The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. ## 0x8024402F @@ -42,7 +43,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.

    If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.| ## 0x80072EFD or 0x80072EFE or 0x80D02002 @@ -84,7 +85,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. | ## 0x8024000E @@ -96,19 +97,19 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.

    Review [KB920659](/troubleshoot/windows-server/deployment/wsus-selfupdate-not-send-automatic-updates) for instructions to resolve the issue. | +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.

    For more information to resolve the issue, review [KB920659](/troubleshoot/windows-server/deployment/wsus-selfupdate-not-send-automatic-updates). | ## 0x80244007 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.

    Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.

    For more information to resolve the issue, see [0x80244007 error when Windows tries to scan for updates on a WSUS server](https://support.microsoft.com/topic/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-server-6af342d9-9af6-f3bb-b6ad-2be56bf7826e). | ## 0x80070422 | Message | Description | Mitigation | |---------|-------------|------------| -| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.
    | +| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running. | ## 0x800f0821 @@ -145,7 +146,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
    Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
    Go to %Windir%\logs\CBS, open the last CBS.log and search for ", error" and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | ## 0x80070570 @@ -158,14 +159,14 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. | +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for `, error`. Then match the results with the timestamp. | ## 0x80070020 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
    1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
    2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon).
    3. Run Procmon.exe. It will start data capture automatically.
    4. Install the update package again
    5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
    6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
    7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
    8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
    9. Try to stop it or uninstall the process causing the error. | +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
    1. [Perform a clean boot and retry the installation](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd)
    2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon).
    3. Run Procmon.exe. It will start data capture automatically.
    4. Install the update package again
    5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
    6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
    7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
    8. In Process Monitor, filter for path and insert the file name (it should be something like "path" "contains" "filename from CBS").
    9. Try to stop it or uninstall the process causing the error. | ## 0x80073701 @@ -183,19 +184,19 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.
    From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE*
    Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you’re using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | +| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.
    From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE*
    Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you're using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | ## 0x80072F8F | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/). +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392). ## 0x80072EE2 | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
    Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures).
    If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
    `http://windowsupdate.microsoft.com`
    `https://*.windowsupdate.microsoft.com`
    `https://update.microsoft.com`
    `https://*.update.microsoft.com`
    `https://windowsupdate.com`
    `https://*.windowsupdate.com`
    `https://download.windowsupdate.com`
    `https://*.download.windowsupdate.com`
    `https://download.microsoft.com`
    `https://*.download.windowsupdate.com`
    `https://wustat.windows.com`
    `https://*.wustat.windows.com`
    `https://ntservicepack.microsoft.com` | +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
    Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures).
    If you're using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
    `http://windowsupdate.microsoft.com`
    `https://*.windowsupdate.microsoft.com`
    `https://update.microsoft.com`
    `https://*.update.microsoft.com`
    `https://windowsupdate.com`
    `https://*.windowsupdate.com`
    `https://download.windowsupdate.com`
    `https://*.download.windowsupdate.com`
    `https://download.microsoft.com`
    `https://*.download.windowsupdate.com`
    `https://wustat.windows.com`
    `https://*.wustat.windows.com`
    `https://ntservicepack.microsoft.com` | ## 0x80240022 diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 5b8cff866c..3498ee23fe 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -18,6 +18,8 @@ ms.topic: article > This is a 300 level topic (moderately advanced).
    > See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +

    Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues + If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. > [!IMPORTANT] diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index fee71f1399..4ade882a85 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -147,15 +147,19 @@ S = Supported; Not considered a downgrade or an upgrade **Destination Edition: (Starting)** -|Edition|Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise| -|--- |--- |--- |--- |--- |--- |--- |--- | -|Home|||||||| -|Pro|||||||| -|Pro for Workstations|||||||| -|Pro Education|||||||| -|Education||✔|✔|✔|||S| -|Enterprise LTSC|||||||| -|Enterprise||✔|✔|✔|S||| +![Supported downgrade path.](../images/check_grn.png) (green checkmark) = Supported downgrade path
    +![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) (blue checkmark) = Not considered a downgrade or an upgrade
    +![not supported.](../images/x_blk.png) (X) = not supported or not a downgrade
    + +| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** | +|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- | +| **Home** | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Pro** | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Pro Education** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Education** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | +| **Enterprise LTSC** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | +| **Enterprise** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | > **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index a0030a3a78..fda363bfff 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -1,7 +1,6 @@ --- title: Step by step - Deploy Windows 10 in a test lab using MDT description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT). -ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.localizationpriority: medium ms.date: 10/11/2017 @@ -9,15 +8,14 @@ ms.reviewer: manager: dougeby ms.author: aaroncz author: aczechowski -ms.topic: article +ms.topic: how-to --- - # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit **Applies to** -- Windows 10 +- Windows 10 > [!IMPORTANT] > This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: @@ -62,18 +60,18 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch ```powershell $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer ``` -2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. +1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. -3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. +1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components. -3. If desired, re-enable IE Enhanced Security Configuration: +1. If desired, re-enable IE Enhanced Security Configuration: ```powershell - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 Stop-Process -Name Explorer ``` @@ -345,7 +343,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): - + ```console ScanStateArgs=/ue:*\* /ui:CONTOSO\* ``` @@ -354,9 +352,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env ```console ScanStateArgs=/all - ``` + ``` - For more information, see [ScanState Syntax](/previous-versions/windows/it-pro/windows-vista/cc749015(v=ws.10)). + For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax). 4. Click **Edit Bootstap.ini** and replace text in the file with the following text: @@ -641,12 +639,10 @@ Deployment logs are available on the client computer in the following locations: You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. -Tools for viewing log files, and to assist with troubleshooting are available in the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) - Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. ## Related Topics -[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
    -[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +[Microsoft Deployment Toolkit](/mem/configmgr/mdt/) +[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 2a14609c52..5e58c2a014 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -123,10 +123,7 @@ The procedures in this guide are summarized in the following table. An estimate Stop-Process -Name Explorer ``` -1. Download **Microsoft Endpoint Configuration Manager** on SRV1. - - > [!NOTE] - > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). +1. Download [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. 1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 70f2060fee..f69d28d3bf 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -180,11 +180,9 @@ Starting with Windows 8, the host computer's microprocessor must support second When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. -1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for **Windows Server** to the **C:\VHD** directory. +1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for [Windows Server](https://www.microsoft.com/evalcenter/evaluate-windows-server-2022) to the **C:\VHD** directory. > [!NOTE] - > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). - > > The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations. > [!IMPORTANT] @@ -194,10 +192,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the **Windows 10 Enterprise** ISO file to the **C:\VHD** directory on your Hyper-V host. - - > [!NOTE] - > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). +4. Download the [Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) ISO file to the **C:\VHD** directory on your Hyper-V host. You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 290eddf758..67df3547c9 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -13,7 +13,7 @@ ms.collection: search.appverid: - MET150 ms.topic: article -ms.date: 06/16/2022 +ms.date: 07/12/2022 --- # Windows 10/11 Subscription Activation @@ -26,9 +26,11 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to " With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. +If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). + The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. -See the following articles: +For more information, see the following articles: - [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise. - [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education. diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 97e466d258..b56c8a8916 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -17,48 +17,71 @@ href: prepare/windows-autopatch-configure-network.md - name: Enroll your tenant href: prepare/windows-autopatch-enroll-tenant.md - - name: Fix issues found by the Readiness assessment tool - href: prepare/windows-autopatch-fix-issues.md + items: + - name: Fix issues found by the Readiness assessment tool + href: prepare/windows-autopatch-fix-issues.md - name: Deploy href: deploy/index.md items: - name: Add and verify admin contacts href: deploy/windows-autopatch-admin-contacts.md - - name: Register your devices - href: deploy/windows-autopatch-register-devices.md + - name: Device registration + href: + items: + - name: Device registration overview + href: deploy/windows-autopatch-device-registration-overview.md + - name: Register your devices + href: deploy/windows-autopatch-register-devices.md - name: Operate href: operate/index.md items: - - name: Update management + - name: Software update management href: operate/windows-autopatch-update-management.md items: - - name: Windows quality updates - href: operate/windows-autopatch-wqu-overview.md - items: - - name: Windows quality end user experience - href: operate/windows-autopatch-wqu-end-user-exp.md - - name: Windows quality update signals - href: operate/windows-autopatch-wqu-signals.md - - name: Windows quality update communications + - name: Windows updates + href: + items: + - name: Windows quality updates + href: operate/windows-autopatch-wqu-overview.md + items: + - name: Windows quality end user experience + href: operate/windows-autopatch-wqu-end-user-exp.md + - name: Windows quality update signals + href: operate/windows-autopatch-wqu-signals.md + - name: Windows feature updates + href: operate/windows-autopatch-fu-overview.md + items: + - name: Windows feature end user experience + href: operate/windows-autopatch-fu-end-user-exp.md + - name: Windows quality and feature update communications href: operate/windows-autopatch-wqu-communications.md - - name: Conflicting and unsupported policies - href: operate/windows-autopatch-wqu-unsupported-policies.md - name: Microsoft 365 Apps for enterprise href: operate/windows-autopatch-microsoft-365-apps-enterprise.md - name: Microsoft Edge href: operate/windows-autopatch-edge.md - name: Microsoft Teams href: operate/windows-autopatch-teams.md - - name: Deregister a device - href: operate/windows-autopatch-deregister-devices.md + - name: Maintain the Windows Autopatch environment + href: operate/windows-autopatch-maintain-environment.md - name: Submit a support request href: operate/windows-autopatch-support-request.md + - name: Deregister a device + href: operate/windows-autopatch-deregister-devices.md + - name: Unenroll your tenant + href: operate/windows-autopatch-unenroll-tenant.md - name: Reference href: items: + - name: Update policies + href: + items: + - name: Windows update policies + href: operate/windows-autopatch-wqu-unsupported-policies.md + - name: Microsoft 365 Apps for enterprise update policies + href: references/windows-autopatch-microsoft-365-policies.md + - name: Changes made at tenant enrollment + href: references/windows-autopatch-changes-to-tenant.md - name: Privacy href: references/windows-autopatch-privacy.md - name: Windows Autopatch preview addendum - href: references/windows-autopatch-preview-addendum.md - - + href: references/windows-autopatch-preview-addendum.md \ No newline at end of file diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md index 2ecfa99202..7793b6cb5d 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md @@ -14,9 +14,6 @@ msreviewer: hathind # Add and verify admin contacts -> [!IMPORTANT] -> The Admin contacts blade isn't available during public preview. However, we'll use the admin contacts provided by you during public preview onboarding. - There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch. > [!IMPORTANT] @@ -34,7 +31,7 @@ Your admin contacts will receive notifications about support request updates and | Area of focus | Description | | ----- | ----- | | Devices |

    • Device registration
    • Device health
    | -| Updates |
    • Windows quality updates
    • Microsoft 365 Apps for enterprise
    • Microsoft Teams updates
    • Microsoft Edge
    | +| Updates |
    • Windows quality updates
    • Windows feature updates
    • Microsoft 365 Apps for enterprise updates
    • Microsoft Edge updates
    • Microsoft Teams updates
    | **To add admin contacts:** diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md new file mode 100644 index 0000000000..1d55fce3d7 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -0,0 +1,59 @@ +--- +title: Device registration overview +description: This article provides and overview on how to register devices in Autopatch +ms.date: 07/28/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: andredm7 +--- + +# Device registration overview + +Windows Autopatch must [register your existing devices](windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf. + +The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset. + +The overall device registration process is: + +:::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png"::: + +1. IT admin identifies devices to be managed by Windows Autopatch and adds them into the **Windows Autopatch Device Registration** Azure Active Directory (AD) group. +1. Windows Autopatch then: + 1. Performs device readiness prior registration (prerequisite checks). + 1. Calculates the deployment ring distribution. + 1. Assigns devices to one of the deployment rings based on the previous calculation. + 1. Assigns devices to other Azure AD groups required for management. + 1. Marks devices as active for management so it can apply its update deployment policies. +1. IT admin then monitors the device registration trends and the update deployment reports. + +For more information about the device registration workflow, see the [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram) section for more technical details behind the Windows Autopatch device registration process. + +## Detailed device registration workflow diagram + +See the following detailed workflow diagram. The diagram covers the Windows Autopatch device registration process: + +:::image type="content" source="../media/windows-autopatch-device-registration-workflow-diagram.png" alt-text="Detailed device registration workflow diagram" lightbox="../media/windows-autopatch-device-registration-workflow-diagram.png"::: + +| Step | Description | +| ----- | ----- | +| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | +| **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | +| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | +| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
        1. **If yes**, it means this device is enrolled into Intune.
        2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.
    | +| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
    1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
    2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
    | +| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
    | +| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
    1. **Modern Workplace Devices - All**
      1. This group has all devices managed by Windows Autopatch.
    2. When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
      1. This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
    3. When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
      1. This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
    4. When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
      1. This group has all virtual devices managed by Windows Autopatch.
      | +| **Step 8: Post-device registration** | In post-device registration, three actions occur:
      1. Windows Autopatch adds devices to its managed database.
      2. Flags devices as **Active** in the **Ready** tab.
      3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
        1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
        | +| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not ready** tab.
        | +| **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | + +## Detailed prerequisite check workflow diagram + +As described in **step #4** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed. + +:::image type="content" source="../media/windows-autopatch-prerequisite-check-workflow-diagram.png" alt-text="Detailed prerequisite check workflow diagram" lightbox="../media/windows-autopatch-prerequisite-check-workflow-diagram.png"::: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index a522a08253..fb3df8f46b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 06/24/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -18,19 +18,20 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: +Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) +- [Windows feature updates](../operate/windows-autopatch-fu-overview.md) - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] -> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. +> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. #### Supported scenarios when nesting other Azure AD groups @@ -47,9 +48,6 @@ Azure AD groups synced up from: > [!IMPORTANT] > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. -> [!TIP] -> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the Windows Autopatch Device Registration Azure AD group on demand. - ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid). @@ -65,19 +63,20 @@ It's recommended to detect and clean up stale devices in Azure AD before registe To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: -- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client) +- Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). - - [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads: + - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). + - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune): - Windows updates policies - Device configuration - Office Click-to-run -- Last Intune device check-in completed within the last 28 days. +- Last Intune device check in completed within the last 28 days. +- Devices must have Serial Number, Model and Manufacturer. + > [!NOTE] + > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. -For more information on how Configuration Manager workloads work, see [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads). - -See [Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details. +For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). ## About the Ready and Not ready tabs @@ -96,39 +95,70 @@ A role defines the set of permissions granted to users assigned to that role. Yo - Intune Service Administrator - Modern Workplace Intune Administrator -For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). +For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). > [!NOTE] > The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles. ## Details about the device registration process -Registering your devices in Windows Autopatch does the following: +Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices into the deployment ring groups and other groups required for software updates management. +2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management. + +For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). ## Steps to register devices -**To register devices into Windows Autopatch:** +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). +Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. + +**To register devices with Windows Autopatch:** 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). -2. Select **Windows Autopatch** from the left navigation menu. -3. Select **Devices**. -4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. -5. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. +2. Select **Devices** from the left navigation menu. +3. Under the **Windows Autopatch** section, select **Devices**. +4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. -Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs software-based prerequisite checks to try to register them with its service. +Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. -> [!IMPORTANT] -> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview. +> [!TIP] +> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. -## Additional device management lifecycle scenarios +### Windows Autopatch on Windows 365 Enterprise Workloads -There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch. +Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. + +**To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:** + +1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. +1. In the left pane, select **Devices**. +1. Navigate to Provisioning > **Windows 365**. +1. Select Provisioning policies > **Create policy**. +1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types). +1. Select **Next**. +1. Choose the desired image and select **Next**. +1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) cannot manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue. +1. Assign your policy accordingly and select **Next**. +1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. + +For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). + +### Contact support for device registration-related incidents + +Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. + +- For Windows 365 support, see [Get support](/mem/get-support). +- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request). + +## Device management lifecycle scenarios + +There's a few more device management lifecycle scenarios to consider when planning to register devices in Windows Autopatch. ### Device refresh diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png new file mode 100644 index 0000000000..a2e0785741 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png new file mode 100644 index 0000000000..3abdb9288e Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png new file mode 100644 index 0000000000..d340ccdecd Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-force-update.png b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png new file mode 100644 index 0000000000..a1752b7996 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png new file mode 100644 index 0000000000..0b926b62f6 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png new file mode 100644 index 0000000000..f05268d372 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png new file mode 100644 index 0000000000..a0899ccf6c Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png index 043e275574..4e347dc3cf 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md index 44954ce00f..88dfceb72d 100644 --- a/windows/deployment/windows-autopatch/operate/index.md +++ b/windows/deployment/windows-autopatch/operate/index.md @@ -14,12 +14,15 @@ msreviewer: hathind # Operating with Windows Autopatch -This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team: +This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, maintaining your Windows Autopatch environment, how to contact the Windows Autopatch Service Engineering Team, and unenrolling your tenant: - [Update management](windows-autopatch-update-management.md) - [Windows quality updates](windows-autopatch-wqu-overview.md) +- [Windows feature updates](windows-autopatch-fu-overview.md) - [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md) - [Microsoft Edge updates](windows-autopatch-edge.md) - [Microsoft Teams updates](windows-autopatch-teams.md) +- [Maintain the Windows Autopatch environment](windows-autopatch-maintain-environment.md) - [Deregister devices](windows-autopatch-deregister-devices.md) - [Submit a support request](windows-autopatch-support-request.md) +- [Unenroll your tenant](windows-autopatch-unenroll-tenant.md) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md index 7fe4c8e3d4..4fe92e457d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md @@ -14,7 +14,7 @@ msreviewer: andredm7 # Deregister a device -To avoid end-user disruption, device de-registration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. +To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. **To deregister a device:** diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md new file mode 100644 index 0000000000..15a138fcdf --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -0,0 +1,73 @@ +--- +title: Windows feature update end user experience +description: This article explains the Windows feature update end user experience +ms.date: 07/11/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows feature update end user experience + +Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours. + +## User notifications + +In this section we'll review what an end user would see in the following three scenarios: + +1. Typical update experience +2. Feature update deadline forces an update +3. Feature update grace period + +> [!NOTE] +> Windows Autopatch doesn't yet support feature updates without notifying end users. + +### Typical update experience + +In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: + +1. Restart immediately to install the updates +1. Schedule the installation, or +1. Snooze (the device will attempt to install outside of active hours.) + +In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. + +:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience"::: + +### Feature update deadline forces an update + +The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours. + +The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. + +:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update"::: + +### Feature update grace period + +In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on. + +Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. + +:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period"::: + +## Servicing window + +Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies: + +| Policy | Description | +| ----- | ----- | +| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. | +| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | + +> [!IMPORTANT] +> Both policies must be deployed for them to work as expected. + +A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible. + +> [!IMPORTANT] +> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management:
        • [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
        • [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
        • [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)
        • [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)
        • [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)
        • [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)
        • [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
        diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md new file mode 100644 index 0000000000..c24e373172 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -0,0 +1,106 @@ +--- +title: Windows feature updates +description: This article explains how Windows feature updates are managed in Autopatch +ms.date: 07/11/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows feature updates + +## Service level objective + +Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. + +## Device eligibility + +For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria: + +| Criteria | Description | +| ----- | ----- | +| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. | +| Intune sync | Devices must have checked with Intune within the last five days. | +| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. | +| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | +| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | +| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | +| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | + +## Windows feature update releases + +When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout. + +The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend. + +| Ring | Timeline | +| ----- | ----- | +| Test | Release start | +| First | Release start + 30 days | +| Fast | Release start + 60 days | +| Broad | Release start + 90 days | + +:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline"::: + +## New devices to Windows Autopatch + +If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria. + +If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device. + +## Feature update configuration + +When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring: + +- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows. +- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates. + +| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | +| ----- | ----- | ----- | ----- | ----- | +| Test | 21H2 | 0 | 5 | 0 | +| First | 21H2 | 0 | 5 | 2 | +| Fast | 21H2 | 0 | 5 | 2 | +| Broad | 21H2 | 0 | 5 | 2 | + +> [!NOTE] +> Customers are not able to select a target version for their tenant. + +During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline. + +To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods effect devices. + +| Policy | Description | +| ----- | ----- | +| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. | +| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | +| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | + +> [!IMPORTANT] +> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management. + +## Windows 11 testing + +To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11. + +> [!IMPORTANT] +> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment. + +## Pausing and resuming a release + +You can pause or resume a Windows feature update from the Release management tab in Microsoft Endpoint Manager. + +## Rollback + +Windows Autopatch doesn't support the rollback of feature updates. + +## Incidents and outages + +If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows. + +If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md new file mode 100644 index 0000000000..2515a08a9a --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -0,0 +1,29 @@ +--- +title: Maintain the Windows Autopatch environment +description: This article details how to maintain the Windows Autopatch environment +ms.date: 07/11/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Maintain the Windows Autopatch environment + +After you've completed enrollment in Windows Autopatch, some management settings might need to be adjusted. Use the following steps: + +1. Review the [Microsoft Intune settings](#microsoft-intune-settings) described in the following section. +1. If any of the items apply to your environment, make the adjustments as described. + +> [!NOTE] +> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there. + +## Microsoft Intune settings + +| Setting | Description | +| ----- | ----- | +| Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).

        Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:

        • Modern Workplace Update Policy [Broad]-[Windows Autopatch]
        • Modern Workplace Update Policy [Fast]-[Windows Autopatch]
        • Modern Workplace Update Policy [First]-[Windows Autopatch]
        • Modern Workplace Update Policy [Test]-[Windows Autopatch]

        When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.

        **To resolve the Not ready result:**

        After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        **To resolve the Advisory result:**

        1. Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
        2. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 5a95e0b786..d3ef9e518e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -33,7 +33,7 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN). -Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. ## Update rings @@ -82,29 +82,13 @@ Windows Autopatch will either: Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise. -## Conflicting and unsupported policies +## Compatibility with Servicing Profiles -Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed. - -### Update policies - -Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management. - -| Update setting | Value | Usage reason | -| ----- | ----- | ----- | -| Set updates to occur automatically | Enabled | Enable automatic updates | -| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch | -| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch | -| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs | -| Set a deadline by when updates must be applied | 3 | Update deadline | -| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated | -| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates | - -## Microsoft 365 Apps servicing profiles +[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting. A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. -However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type. +However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. ## Incidents and outages diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md new file mode 100644 index 0000000000..9d1f37b506 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -0,0 +1,56 @@ +--- +title: Unenroll your tenant +description: This article explains what unenrollment means for your organization and what actions you must take. +ms.date: 07/27/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Unenroll your tenant + +If you're looking to unenroll your tenant from Windows Autopatch, this article details what unenrollment means for your organization and what actions you must take. + +> [!IMPORTANT] +> You must be a Global Administrator to unenroll your tenant. + +Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will: + +- Remove Windows Autopatch access to your tenant. +- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). +- Delete all data that we've stored in the Windows Autopatch data storage. + +> [!NOTE] +> We will **not** delete any of your customer or Intune data. + +## Microsoft's responsibilities during unenrollment + +| Responsibility | Description | +| ----- | ----- | +| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). | +| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | + +## Your responsibilities after unenrolling your tenant + +| Responsibility | Description | +| ----- | ----- | +| Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | +| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | +| Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | + +## Unenroll from Windows Autopatch + +**To unenroll from Windows Autopatch:** + +1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service. +1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service. + 1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team. + 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner. +1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment). +1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete. +1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index ac151e3512..982440f7ea 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -1,7 +1,7 @@ --- -title: Update management +title: Software update management description: This article provides an overview of how updates are handled in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: overview @@ -9,61 +9,91 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- -# Update management +# Software update management -Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates. +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. -## Update types +## Software update workloads -| Update type | Description | +| Software update workload | Description | | ----- | ----- | -| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | +| Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | +| Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md). | Anti-virus definition | Updated with each scan. | | Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). | | Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | | Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | -## Update rings +## Windows Autopatch deployment rings + +During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: + +| Ring | Description | +| ----- | ----- | +| **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.| +| **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.| +| **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. | +| **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. | + +Each deployment ring has a different set of update deployment policies to control the updates rollout. + +> [!IMPORTANT] +> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. + +Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] -> Update rings only apply to Windows quality updates. +> You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. -During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings: +### Deployment ring calculation logic -1. Modern Workplace Devices - Test -2. Modern Workplace Devices - First -3. Modern Workplace Devices - Fast -4. Modern Workplace Devices - Broad +The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows: -Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area. +- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. +- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. -When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release. -> [!NOTE] -> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch. - -| Ring | Default device count | Description +| Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
        • 0–500 devices: minimum one device
        • 500–5000 devices: minimum five devices
        • 5000+ devices: min 50 devices
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | -| First | 1% | The First ring is the first group of production users to receive a change.

        This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.

        Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| -| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

        The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

        | -| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
        • **0–500** devices: minimum **one** device.
        • **500–5000** devices: minimum **five** devices.
        • **5000+** devices: minimum **50** devices.
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | **1%** | The First ring is the first group of production users to receive a change.

        This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

        Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

        The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

        | +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| -## Moving devices between rings +## Moving devices in between deployment rings -If you want to move separate devices to different rings, repeat the following steps for each device: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab. + +**To move devices in between deployment rings:** 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. -3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. 5. Select **Assign device to ring**. A fly-in opens. -6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. +6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. -When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. +When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. > [!NOTE] -> You can't move devices to other rings if they're in the "error" or "pending" registration state.

        If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). +> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

        If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: + +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). + +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). | +| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.| + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md index 2636932319..555d20ee68 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -1,5 +1,5 @@ --- -title: End user experience +title: Windows quality update end user experience description: This article explains the Windows quality update end user experience ms.date: 05/30/2022 ms.prod: w11 @@ -12,7 +12,7 @@ manager: dougeby msreviewer: hathind --- -# End user experience +# Windows quality update end user experience Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index 282c602973..c7c96c2575 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -37,7 +37,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates: +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: | Policy | Description | | ----- | ----- | @@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s > [!IMPORTANT] > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). -Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings). +Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: @@ -72,8 +72,11 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed. -> [!NOTE] -> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview. +You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager. + +## Rollback + +Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md). ## Incidents and outages diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index cf052fbba4..4e5a37bb81 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -40,7 +40,7 @@ The update is released to the Test ring on the second Tuesday of the month. Thos ## Device reliability signals -Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md index a76f93d9c5..1ee72bdfda 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md @@ -1,7 +1,7 @@ --- -title: Conflicting and unsupported policies -description: This article explains the conflicting and unsupported policies in Windows quality updates -ms.date: 05/30/2022 +title: Windows update policies +description: This article explains Windows update policies in Windows Autopatch +ms.date: 07/07/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -12,11 +12,94 @@ manager: dougeby msreviewer: hathind --- -# Conflicting and unsupported policies +# Windows update policies + +## Update rings for Windows 10 and later + +The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention: + +**Modern Workplace Update Policy [ring name] – [Windows Autopatch]** + +### Windows 10 and later update settings + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Microsoft product updates | Allow | Allow | Allow | Allow | +| Windows drivers | Allow | Allow | Allow | Allow | +| Quality update deferral period | 0 | 1 | 6 | 9 | +| Feature update deferral period | 0 | 0 | 0 | 0 | +| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No | +| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days | +| Servicing channel | General availability | General availability | General availability | General availability | + +### Windows 10 and later user experience settings + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Automatic update behaviour | Reset to default | Reset to default | Reset to default | Reset to default | +| Restart checks | Allow | Allow | Allow | Allow | +| Option to pause updates | Disable | Disable | Disable | Disable | +| Option to check for Windows updates | Default | Default | Default | Default | +| Change notification update level | Default | Default | Default | Default | +| Deadline for feature updates | 5 | 5 | 5 | 5 | +| Deadline for quality updates | 0 | 2 | 2 | 5 | +| Grace period | 0 | 2 | 2 | 2 | +| Auto-restart before deadline | Yes | Yes | Yes | Yes | + +### Windows 10 and later assignments + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad | +| Excluded groups | None | None | None | None | + +## Feature update policies + +The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices. + +### Feature updates for Windows 10 and later + +These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention: + +**Modern Workplace DSS Policy [ring name]** + +#### Feature update deployment settings + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | +| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start | + +#### Feature update policy assignments + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad | +| Excluded groups | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | + +#### Windows 11 testing + +To allow customers to test Windows 11 in their environment, there's a separate DSS policy which enables you to test Windows 11 before broadly adopting within your environment. + +##### Windows 11 deployment setting + +| Setting name | Test | +| ----- | ----- | +| Name | Windows 11 | +| Rollout options | Immediate start | + +##### Windows 11 assignments + +| Setting name | Test | +| ----- | ----- | +| Included groups | Modern Workplace – Windows 11 Pre-Release Test Devices | +| Excluded groups | None | + +## Conflicting and unsupported policies Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed. -## Update policies +### Update policies Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management. @@ -26,7 +109,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de | [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.

        Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | | [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.

        This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | -## Group policy +### Group policy Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management: diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 64041a261e..8b42365ad6 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: w11 ms.topic: faq - ms.date: 06/02/2022 + ms.date: 08/26/2022 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -25,7 +25,7 @@ sections: - question: Is Windows 365 for Enterprise supported with Windows Autopatch? answer: | Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported. - - question: Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing? + - question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing? answer: | Autopatch isn't available for 'A' or 'F' series licensing. - question: Will Windows Autopatch support local domain join Windows 10? @@ -34,6 +34,9 @@ sections: - question: Will Windows Autopatch be available for state and local government customers? answer: | Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. + - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service? + answer: | + Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch. - name: Requirements questions: - question: What are the prerequisites for Windows Autopatch? @@ -43,7 +46,7 @@ sections: - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) Additional pre-requisites for devices managed by Configuration Manager: - - [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements) + - [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements) - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? @@ -59,6 +62,15 @@ sections: - question: Can Autopatch customers individually approve or deny devices? answer: | No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported. + - question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device? + answer: | + No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). + - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center? + answer: | + Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). + - question: Can I run Autopatch on my Windows 365 Business Workloads? + answer: | + No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - name: Update Management questions: - question: What systems does Windows Autopatch update? @@ -67,8 +79,6 @@ sections: - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - - question: What does Windows Autopatch do to ensure updates are done successfully? - answer: For information about the Microsoft Admin Center, see [Manage third-party app subscriptions for your organization](/microsoft-365/commerce/manage-saas-apps). - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. @@ -86,9 +96,9 @@ sections: - question: Can you customize the scheduling of an update rollout to only install on certain days and times? answer: | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? + - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index a724359a90..107f37c50e 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -1,7 +1,7 @@ --- -title: What is Windows Autopatch? (preview) +title: What is Windows Autopatch? description: Details what the service is and shortcuts to articles -ms.date: 05/30/2022 +ms.date: 07/11/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -12,10 +12,7 @@ manager: dougeby msreviewer: hathind --- -# What is Windows Autopatch? (preview) - -> [!IMPORTANT] -> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch). +# What is Windows Autopatch? Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. @@ -39,6 +36,7 @@ The goal of Windows Autopatch is to deliver software updates to registered devic | Management area | Service level objective | | ----- | ----- | | [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. | +| [Windows feature updates](../operate/windows-autopatch-fu-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. | | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). | | [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | | [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | @@ -59,33 +57,13 @@ Microsoft remains committed to the security of your data and the [accessibility] ## Need more details? -### Prepare +| Area | Description | +| ----- | ----- | +| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:

        • [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
        • [Configure your network](../prepare/windows-autopatch-configure-network.md)
        • [Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)
        • [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
        | +| Deploy | Once you've enrolled your tenant, this section instructs you to:
        • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
        • [Register your devices](../deploy/windows-autopatch-register-devices.md)
        | +| Operate | This section includes the following information about your day-to-day life with the service:
        • [Update management](../operate/windows-autopatch-update-management.md)
        • [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
        • [Submit a support request](../operate/windows-autopatch-support-request.md)
        • [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
        +| References | This section includes the following articles:
        • [Windows update policies](../operate/windows-autopatch-wqu-unsupported-policies.md)
        • [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
        • [Privacy](../references/windows-autopatch-privacy.md)
        • [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
        | -The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch: +### Have feedback or would like to start a discussion? -- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) -- [Configure your network](../prepare/windows-autopatch-configure-network.md) -- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md) -- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) - -### Deploy - -Once you've enrolled your tenant, this section instructs you to: - -- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) -- [Register your devices](../deploy/windows-autopatch-register-devices.md) - -### Operate - -This section includes the following information about your day-to-day life with the service: - -- [Update management](../operate/windows-autopatch-update-management.md) -- [Submit a support request](../operate/windows-autopatch-support-request.md) -- [Deregister a device](../operate/windows-autopatch-deregister-devices.md) - -### References - -This section includes the following articles: - -- [Privacy](../references/windows-autopatch-privacy.md) -- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md) +You can [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch). diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md index 71ba6f2d78..903d732865 100644 --- a/windows/deployment/windows-autopatch/prepare/index.md +++ b/windows/deployment/windows-autopatch/prepare/index.md @@ -19,4 +19,4 @@ The following articles describe the steps you must take to onboard with Windows 1. [Review the prerequisites](windows-autopatch-prerequisites.md) 1. [Configure your network](windows-autopatch-configure-network.md) 1. [Enroll your tenant](windows-autopatch-enroll-tenant.md) -1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md) + 1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index c594bece89..cb7b64d172 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -1,7 +1,7 @@ --- title: Enroll your tenant description: This article details how to enroll your tenant -ms.date: 05/30/2022 +ms.date: 07/11/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -14,9 +14,12 @@ msreviewer: hathind # Enroll your tenant -Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time. +Before you enroll in Windows Autopatch, there are settings, and other parameters you must set ahead of time. -The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch. +> [!IMPORTANT] +> You must be a Global Administrator to enroll your tenant. + +The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch. ## Step 1: Review all prerequisites @@ -27,20 +30,18 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop > [!IMPORTANT] > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. -The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). +The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). **To access and run the Readiness assessment tool:** > [!IMPORTANT] -> You must be a Global Administrator to enroll your tenant. +> You must be a Global Administrator to run the Readiness assessment tool. 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**. > [!IMPORTANT] -> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md). - -A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). +> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses). The Readiness assessment tool checks the following settings: @@ -50,8 +51,8 @@ The following are the Microsoft Intune settings: | Check | Description | | ----- | ----- | -| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. | -| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. | +| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure update rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). | +| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). | ### Azure Active Directory settings @@ -59,38 +60,25 @@ The following are the Azure Active Directory settings: | Check | Description | | ----- | ----- | -| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.

        Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). | -| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. | -| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. | +| Co-management | This advisory check only applies if co-management is applied to your tenant. This check ensures that the proper workloads are in place for Windows Autopatch. If co-management doesn't apply to your tenant, this check can be safely disregarded, and won't block device deployment. | | Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | +### Check results + For each check, the tool will report one of four possible results: | Result | Meaning | | ----- | ----- | | Ready | No action is required before completing enrollment. | | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.

        You can complete enrollment, but you must fix these issues before you deploy your first device. | -| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | | Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | -### Seeing issues with your tenant? +## Step 3: Fix issues with your tenant If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate. -### Delete data collected from the Readiness assessment tool - -Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool. - -> [!NOTE] -> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. - -**To delete the data we collect:** - -1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). -2. Navigate to Windows Autopatch > **Tenant enrollment**. -3. Select **Delete all data**. - -## Step 3: Enroll your tenant +## Step 4: Enroll your tenant > [!IMPORTANT] > You must be a Global Administrator to enroll your tenant. @@ -105,4 +93,27 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s - Provide Windows Autopatch with IT admin contacts. - Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service. -Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md). +Once these actions are complete, you've now successfully enrolled your tenant. + +> [!NOTE] +> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + +### Delete data collected from the Readiness assessment tool + +You can choose to delete the data we collect directly within the Readiness assessment tool. + +Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. + +> [!NOTE] +> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. + +**To delete the data we collect:** + +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Navigate to Windows Autopatch > **Tenant enrollment**. +3. Select **Delete all data**. + +## Next steps + +1. Maintain your [Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md). +1. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md). diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index b9f8c7b372..ae202548a6 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -14,14 +14,18 @@ msreviewer: hathind # Fix issues found by the Readiness assessment tool +Seeing issues with your tenant? This article details how to remediate issues found with your tenant. + +## Check results + For each check, the tool will report one of four possible results: | Result | Meaning | | ----- | ----- | | Ready | No action is required before completing enrollment. | | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.

        You can complete enrollment, but you must fix these issues before you deploy your first device. | -| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | -| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | +| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. | > [!NOTE] > The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. @@ -44,21 +48,20 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop | Result | Meaning | | ----- | ----- | -| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

        After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | -| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch. This advisory is flagging an action you should take after enrolling into the service:
        1. Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
        2. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). | +| Not ready | You have an "update ring" policy that targets all devices, all users, or both.

        To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | +| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.

        You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).

        | ## Azure Active Directory settings You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/). -### Conditional access policies +### Co-management -Conditional access policies must not prevent Windows Autopatch from connecting to your tenant. +Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. | Result | Meaning | | ----- | ----- | -| Advisory | You have at least one conditional access policy that targets all users or at least one conditional access policy set as required for multi-factor authentication. These policies could prevent Windows Autopatch from managing the Windows Autopatch service.

        During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.

        For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.

        | -| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:
        • Security Reader
        • Security Administrator
        • Conditional Access Administrator
        • Global Reader
        • Devices Administrator
        | +| Advisory | To successfully enroll devices that are co-managed into Windows Autopatch, it's necessary that the following co-managed workloads are set to **Intune**:
        • Device configuration
        • Windows update policies
        • Office 365 client apps

        If co-management doesn't apply to your tenant, this check can be safely disregarded, and it won't block device deployment.

        | ### Licenses @@ -67,19 +70,3 @@ Windows Autopatch requires the following licenses: | Result | Meaning | | ----- | ----- | | Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | - -### Windows Autopatch service accounts - -Certain account names could conflict with account names created by Windows Autopatch. - -| Result | Meaning | -| ----- | ----- | -| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk. | - -### Security defaults - -Security defaults in Azure Active Directory (AD) will prevent Windows Autopatch from managing your devices. - -| Result | Meaning | -| ----- | ----- | -| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common conditional access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5d377d6e50..f5d9508b37 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 05/30/2022 +ms.date: 08/04/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -16,17 +16,20 @@ msreviewer: hathind Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch. +> [!NOTE] +> For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch. + | Area | Prerequisite details | | ----- | ----- | | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

        For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

        For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

        For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

        • For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
        • For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
        | -| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

        At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

        Other device management prerequisites include:

        • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
        • Devices managed only by Microsoft Endpoint Configuration Manager aren't supported.
        • Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won't be registered with Autopatch.
        • Devices must be connected to the internet.

        For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). | +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

        At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

        Other device management prerequisites include:

        • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
        • Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
        • Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
        • Devices must be connected to the internet.
        • Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.

        See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.

        For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).

        | | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | ## More about licenses -Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch: +Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch: | License | ID | GUID number | | ----- | ----- | ------| @@ -36,19 +39,20 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | -The following Windows 64-bit editions are required for Windows Autopatch: +The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch: -- Windows 10/11 Pro -- Windows 10/11 Enterprise -- Windows 10/11 Pro for Workstations +- Windows 10 (1809+)/11 Pro +- Windows 10 (1809+)/11 Enterprise +- Windows 10 (1809+)/11 Pro for Workstations -## Co-management requirements +## Configuration Manager Co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- Ensure ConfigMgr is connected to the internet and [cloud-attach with Intune](/mem/configmgr/cloud-attach/overview). -- Ensure ConfigMgr is co-managed. For more information, see [Paths to co-management](/mem/configmgr/comanage/quickstart-paths). -- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. -- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. -- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. +- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: + - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. + - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. + - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. + +For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths). diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md new file mode 100644 index 0000000000..ab4daa7fe2 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -0,0 +1,135 @@ +--- +title: Changes made at tenant enrollment +description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch +ms.date: 08/08/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Changes made at tenant enrollment + +## Service principal + +Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: + +- Modern Workplace Customer APIs + +## Azure Active Directory groups + +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications). + +| Group name | Description | +| ----- | ----- | +| Modern Workplace-All | All Modern Workplace users | +| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | +| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

        Group Rule:

        • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
        • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

        Exclusions:
        • Modern Workplace - Telemetry Settings for Windows 11
        | +| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

        Group Rule:

        • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
        • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

        Exclusions:
        • Modern Workplace - Telemetry Settings for Windows 10
        | +| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | +| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role | +| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch | + +## Windows Autopatch enterprise applications + +Enterprise applications are applications (software) that a business uses to do its work. + +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. + +| Enterprise application name | Usage | Permissions | +| ----- | ------ | ----- | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
        • DeviceManagementApps.ReadWrite.All
        • DeviceManagementConfiguration.ReadWrite.All
        • DeviceManagementManagedDevices.PriviligedOperation.All
        • DeviceManagementManagedDevices.ReadWrite.All
        • DeviceManagementRBAC.ReadWrite.All
        • DeviceManagementServiceConfig.ReadWrite.All
        • Directory.Read.All
        • Group.Create
        • Policy.Read.All
        • WindowsUpdates.Read.Write.All
        | + +> [!NOTE] +> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. + +## Device configuration policies + +- Modern Workplace - Set MDM to Win Over GPO +- Modern Workplace - Telemetry Settings for Windows 10 +- Modern Workplace - Telemetry Settings for Windows 11 +- Modern Workplace-Window Update Detection Frequency +- Modern Workplace - Data Collection + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        | | | +| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        |[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 | +| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        |
        • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
        • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
        • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
        • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
        |
        • 3
        • 1
        • 1
        • 1
          • | +| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Test
          • Modern Workplace Devices-Windows Autopatch-First
          • Modern Workplace Devices-Windows Autopatch-Fast
          • Modern Workplace Devices-Windows Autopatch-Broad
          | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | +| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Test
          • Modern Workplace Devices-Windows Autopatch-First
          • Modern Workplace Devices-Windows Autopatch-Fast
          • Modern Workplace Devices-Windows Autopatch-Broad
          | | | + +## Update rings for Windows 10 and later + +- Modern Workplace Update Policy [Test]-[Windows Autopatch] +- Modern Workplace Update Policy [First]-[Windows Autopatch] +- Modern Workplace Update Policy [Fast]-[Windows Autopatch] +- Modern Workplace Update Policy [Broad]-[Windows Autopatch] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Test
          |
          • QualityUpdatesDeferralPeriodInDays
          • FeatureUpdatesDeferralPeriodInDays
          • FeatureUpdatesRollbackWindowInDays
          • BusinessReadyUpdatesOnly
          • AutomaticUpdateMode
          • InstallTime
          • DeadlineForFeatureUpdatesInDays
          • DeadlineForQualityUpdatesInDays
          • DeadlineGracePeriodInDays
          • PostponeRebootUntilAfterDeadline
          • DriversExcluded
          |
          • 0
          • 0
          • 30
          • All
          • WindowsDefault
          • 3
          • 5
          • 0
          • 0
          • False
          • False
            • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-First
            |
            • QualityUpdatesDeferralPeriodInDays
            • FeatureUpdatesDeferralPeriodInDays
            • FeatureUpdatesRollbackWindowInDays
            • BusinessReadyUpdatesOnly
            • AutomaticUpdateMode
            • InstallTime
            • DeadlineForFeatureUpdatesInDays
            • DeadlineForQualityUpdatesInDays
            • DeadlineGracePeriodInDays
            • PostponeRebootUntilAfterDeadline
            • DriversExcluded
            |
            • 1
            • 0
            • 30
            • All
            • WindowsDefault
            • 3
            • 5
            • 2
            • 2
            • False
            • False
              • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Fast
              |
              • QualityUpdatesDeferralPeriodInDays
              • FeatureUpdatesDeferralPeriodInDays
              • FeatureUpdatesRollbackWindowInDays
              • BusinessReadyUpdatesOnly
              • AutomaticUpdateMode
              • InstallTime
              • DeadlineForFeatureUpdatesInDays
              • DeadlineForQualityUpdatesInDays
              • DeadlineGracePeriodInDays
              • PostponeRebootUntilAfterDeadline
              • DriversExcluded
              |
              • 6
              • 0
              • 30
              • All
              • WindowsDefault
              • 3
              • 5
              • 2
              • 2
              • False
              • False
                • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Broad
                |
                • QualityUpdatesDeferralPeriodInDays
                • FeatureUpdatesDeferralPeriodInDays
                • FeatureUpdatesRollbackWindowInDays
                • BusinessReadyUpdatesOnly
                • AutomaticUpdateMode
                • InstallTime
                • DeadlineForFeatureUpdatesInDays
                • DeadlineForQualityUpdatesInDays
                • DeadlineGracePeriodInDays
                • PostponeRebootUntilAfterDeadline
                • DriversExcluded
                |
                • 9
                • 0
                • 30
                • All
                • WindowsDefault
                • 3
                • 5
                • 5
                • 2
                • False
                • False
                  • | + +## Feature update policies + +- Modern Workplace DSS Policy [Test] +- Modern Workplace DSS Policy [First] +- Modern Workplace DSS Policy [Fast] +- Modern Workplace DSS Policy [Broad] +- Modern Workplace DSS Policy [Windows 11] + +| Policy name | Policy description | Value | +| ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Test

                  Exclude from:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                    • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Fast

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Broad

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | + +## Microsoft Office update policies + +- Modern Workplace - Office ADMX Deployment +- Modern Workplace - Office Configuration v5 +- Modern Workplace - Office Update Configuration [Test] +- Modern Workplace - Office Update Configuration [First] +- Modern Workplace - Office Update Configuration [Fast] +- Modern Workplace - Office Update Configuration [Broad] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Office ADMX Deployment | ADMX file for Office

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    | | | +| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    | | | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    |
                    • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                    • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                    |
                  • Enabled; L_UpdateDeadlineID == 7
                  • Enabled; L_DeferUpdateDaysID == 0
                    • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-First
                    |
                    • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                    • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                    |
                  • Enabled; L_UpdateDeadlineID == 7
                  • Enabled; L_DeferUpdateDaysID == 0
                    • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Fast
                    |
                    • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                    • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                    |
                  • Enabled; L_UpdateDeadlineID == 7
                  • Enabled; L_DeferUpdateDaysID == 3
                    • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                    Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Broad
                      • |
                      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                      |
                    • Enabled; L_UpdateDeadlineID == 7
                    • Enabled; L_DeferUpdateDaysID == 7
                      • | + +## Microsoft Edge update policies + +- Modern Workplace - Edge Update ADMX Deployment +- Modern Workplace - Edge Update Channel Stable +- Modern Workplace - Edge Update Channel Beta + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      | | | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | + +## PowerShell scripts + +| Script | Description | +| ----- | ----- | +| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md new file mode 100644 index 0000000000..92295357e9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md @@ -0,0 +1,33 @@ +--- +title: Microsoft 365 Apps for enterprise update policies +description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch +ms.date: 07/11/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Microsoft 365 Apps for enterprise update policies + +## Conflicting and unsupported policies + +Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed. + +### Update policies + +Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management. + +| Update setting | Value | Usage reason | +| ----- | ----- | ----- | +| Set updates to occur automatically | Enabled | Enable automatic updates | +| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch | +| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch | +| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs | +| Set a deadline by when updates must be applied | 3 | Update deadline | +| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated | +| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 7d992eafee..ee8956decd 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -58,11 +58,21 @@ Windows Autopatch only processes and stores system-level data from Windows 10 op For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. +## Tenant access + +Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts. + +| Account name | Usage | Mitigating controls | +| ----- | ----- | -----| +| MsAdmin@tenantDomain.onmicrosoft.com |
                      • This is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.
                      • This account doesn't have interactive login permissions. The account performs operations only through the service.
                      | Audited sign-ins | +| MsAdminInt@tenantDomain.onmicrosoft.com |
                      • This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
                      • This account is used for interactive login to the customer’s tenant.
                      • The use of this account is extremely limited as most operations are exclusively through MsAdmin (non-interactive) account.
                      |
                      • Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
                      • Audited sign-ins | +| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | + ## Microsoft Windows Update for Business Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence. -## Microsft Azure Active Directory +## Microsoft Azure Active Directory Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index d568f05eef..0164891a96 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -11,7 +11,7 @@ ms.collection: - M365-modern-desktop - highpri ms.topic: tutorial -ms.date: 05/12/2022 +ms.date: 07/12/2022 --- # Demonstrate Autopilot deployment @@ -42,14 +42,11 @@ You'll need the following components to complete this lab: | Component | Description | |:---|:---| -|**Windows 10 installation media**|Windows 10 Professional or Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an evaluation version of Windows 10 Enterprise.| +|**Windows 10 installation media**|Windows 10 Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).| |**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.| |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.| |**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| -> [!NOTE] -> The Microsoft Evaluation Center is temporarily unavailable. To access Windows client evaluation media, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). - ## Procedures A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices. @@ -142,10 +139,7 @@ After you determine the ISO file location and the name of the appropriate networ ### Set ISO file location -Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise. Choose a 64-bit version. - -> [!NOTE] -> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). +Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). Choose a 64-bit version. After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso` @@ -180,7 +174,8 @@ All VM data will be created under the current path in your PowerShell prompt. Co ```powershell New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name -New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal +New-VM -Name WindowsAutopilot -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal +Set-VMProcessor WindowsAutopilot -Count 2 Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot ``` diff --git a/windows/eulas/TOC.yml b/windows/eulas/TOC.yml deleted file mode 100644 index b5ef71ac32..0000000000 --- a/windows/eulas/TOC.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Index - href: index.md \ No newline at end of file diff --git a/windows/eulas/breadcrumb/toc.yml b/windows/eulas/breadcrumb/toc.yml deleted file mode 100644 index 61d8fca61e..0000000000 --- a/windows/eulas/breadcrumb/toc.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / \ No newline at end of file diff --git a/windows/eulas/index.md b/windows/eulas/index.md deleted file mode 100644 index daa4838aac..0000000000 --- a/windows/eulas/index.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: Windows 10 - Testing in live -description: What are Windows, UWP, and Win32 apps -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: elizapo -author: lizap -ms.localizationpriority: medium ---- -# Testing non-editability diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml index 4b7d13efad..5d8cef9559 100644 --- a/windows/hub/breadcrumb/toc.yml +++ b/windows/hub/breadcrumb/toc.yml @@ -45,7 +45,7 @@ items: topicHref: /windows/security/threat-protection/auditing/security-auditing-overview - name: Microsoft Defender Application Guard tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/ - topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/ + topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview - name: Security policy settings tocHref: /windows/security/threat-protection/security-policy-settings/ topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings @@ -54,4 +54,4 @@ items: topicHref: /windows/security/threat-protection/windows-defender-application-control/ - name: Windows Defender Firewall tocHref: /windows/security/threat-protection/windows-firewall/ - topicHref: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security + topicHref: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 228d687717..461e6028a8 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -42,7 +42,7 @@ "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-hub", diff --git a/windows/known-issues/TOC.yml b/windows/known-issues/TOC.yml deleted file mode 100644 index b5ef71ac32..0000000000 --- a/windows/known-issues/TOC.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Index - href: index.md \ No newline at end of file diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json index d331ee80d1..2119242b44 100644 --- a/windows/known-issues/docfx.json +++ b/windows/known-issues/docfx.json @@ -39,7 +39,7 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "contributors_to_exclude": [ "rjagiewich", "traya1", diff --git a/windows/known-issues/index.md b/windows/known-issues/index.md deleted file mode 100644 index 929011c38d..0000000000 --- a/windows/known-issues/index.md +++ /dev/null @@ -1 +0,0 @@ -# Welcome to known-issues! \ No newline at end of file diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 5e15ca25f9..e63e7f1322 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -108,7 +108,7 @@ If you don’t sign up for any of these enterprise services, Microsoft will act ### Rollout plan for this change -This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. +This change will rollout in phases, starting with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: @@ -122,11 +122,11 @@ For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022. -To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. +To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. As part of this change, the following policies will no longer be supported to configure the processor option: - Allow commercial data pipeline - Allow Desktop Analytics Processing - Allow Update Compliance Processing - Allow WUfB Cloud Processing - - Configure the Commercial ID \ No newline at end of file + - Configure the Commercial ID diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index b8cdecf995..54a53c7426 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -85,7 +85,7 @@ The following table lists the endpoints related to how you can manage the collec |Connected User Experiences and Telemetry | v10.events.data.microsoft.com

                        v10c.events.data.microsoft.com

                        v10.vortex-win.data.microsoft.com | | [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com

                        umwatsonc.events.data.microsoft.com

                        *-umwatsonc.events.data.microsoft.com

                        ceuswatcab01.blob.core.windows.net

                        ceuswatcab02.blob.core.windows.net

                        eaus2watcab01.blob.core.windows.net

                        eaus2watcab02.blob.core.windows.net

                        weus2watcab01.blob.core.windows.net

                        weus2watcab02.blob.core.windows.net | |Authentication | login.live.com



                        IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.| -| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.microsoft.com

                        kmwatsonc.telemetry.microsoft.com

                        *-kmwatsonc.telemetry.microsoft.com | +| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com

                        oca.microsoft.com

                        kmwatsonc.events.data.microsoft.com

                        *-kmwatsonc.events.data.microsoft.com | |Settings | settings-win.data.microsoft.com



                        IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. | ### Data access @@ -267,7 +267,7 @@ The Windows diagnostic data processor configuration enables you to be the contro - Enterprise - Professional - Education -- The device must be joined to Azure Active Directory. +- The device must be joined to Azure Active Directory (can be a hybrid Azure AD join). For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education) diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 48c27d274d..79774ab7cc 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif" ], "exclude": [ @@ -40,7 +41,7 @@ "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.privacy", diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2871ffa4fd..be054e388b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -219,25 +219,25 @@ - name: Create a WIP policy using Microsoft Intune href: information-protection/windows-information-protection/overview-create-wip-policy.md items: - - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune + - name: Create a WIP policy in Microsoft Intune href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md items: - - name: Deploy your WIP policy using the Azure portal for Microsoft Intune + - name: Deploy your WIP policy in Microsoft Intune href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md - - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune + - name: Associate and deploy a VPN policy for WIP in Microsoft Intune href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md - name: Create and verify an EFS Data Recovery Agent (DRA) certificate href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP + - name: Determine the enterprise context of an app running in WIP href: information-protection/windows-information-protection/wip-app-enterprise-context.md - name: Create a WIP policy using Microsoft Endpoint Configuration Manager href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md items: - - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager + - name: Create and deploy a WIP policy in Configuration Manager href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md - name: Create and verify an EFS Data Recovery Agent (DRA) certificate href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP + - name: Determine the enterprise context of an app running in WIP href: information-protection/windows-information-protection/wip-app-enterprise-context.md - name: Mandatory tasks and settings required to turn on WIP href: information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -260,6 +260,8 @@ href: information-protection/windows-information-protection/using-owa-with-wip.md - name: Fine-tune WIP Learning href: information-protection/windows-information-protection/wip-learning.md + - name: Disable WIP + href: information-protection/windows-information-protection/how-to-disable-wip.md - name: Application security items: - name: Overview @@ -314,29 +316,15 @@ href: identity-protection/credential-guard/credential-guard-known-issues.md - name: Protect Remote Desktop credentials with Remote Credential Guard href: identity-protection/remote-credential-guard.md + - name: Configuring LSA Protection + href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json - name: Technical support policy for lost or forgotten passwords href: identity-protection/password-support-policy.md - name: Access Control Overview href: identity-protection/access-control/access-control.md items: - - name: Dynamic Access Control Overview - href: identity-protection/access-control/dynamic-access-control.md - - name: Security identifiers - href: identity-protection/access-control/security-identifiers.md - - name: Security Principals - href: identity-protection/access-control/security-principals.md - name: Local Accounts href: identity-protection/access-control/local-accounts.md - - name: Active Directory Accounts - href: identity-protection/access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: identity-protection/access-control/microsoft-accounts.md - - name: Service Accounts - href: identity-protection/access-control/service-accounts.md - - name: Active Directory Security Groups - href: identity-protection/access-control/active-directory-security-groups.md - - name: Special Identities - href: identity-protection/access-control/special-identities.md - name: User Account Control href: identity-protection/user-account-control/user-account-control-overview.md items: diff --git a/windows/security/breadcrumb/toc.yml b/windows/security/breadcrumb/toc.yml new file mode 100644 index 0000000000..2531ffba73 --- /dev/null +++ b/windows/security/breadcrumb/toc.yml @@ -0,0 +1,12 @@ +items: +- name: Docs + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows/ + topicHref: /windows/resources/ + items: + - name: Security + tocHref: /windows-server/security/credentials-protection-and-management/ + topicHref: /windows/security/ diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 730a2a9252..84eb2da0af 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -41,7 +41,7 @@ "audience": "ITPro", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.security", diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 2ba26987bb..3463887878 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -2,27 +2,23 @@ title: Access Control Overview (Windows 10) description: Access Control Overview ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 07/18/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Access Control Overview -**Applies to** -- Windows 10 -- Windows Server 2016 - This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. ## Feature description diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md deleted file mode 100644 index f2d6c64736..0000000000 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ /dev/null @@ -1,625 +0,0 @@ ---- -title: Active Directory Accounts (Windows 10) -description: Active Directory Accounts -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/23/2019 ---- - -# Active Directory Accounts - -**Applies to** -- Windows Server 2016 - -Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory. - -This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md). - -## About this topic - - -This topic describes the following: - -- [Default local accounts in Active Directory](#sec-ad-default-accounts) - - - [Administrator account](#sec-administrator) - - - [Guest account](#sec-guest) - - - [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant) - - - [KRBTGT account](#sec-krbtgt) - -- [Settings for default local accounts in Active Directory](#sec-account-settings) - -- [Manage default local accounts in Active Directory](#sec-manage-local-accounts) - -- [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts) - - - [Separate administrator accounts from user accounts](#task1-separate-admin-accounts) - - - [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations) - - - [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon) - - - [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation) - -- [Secure and manage domain controllers](#sec-secure-manage-dcs) - -## Default local accounts in Active Directory - - -Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server. - -You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU). - -The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory. - -Primarily, default local accounts do the following: - -- Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain. - -- Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource. - -- Audit the actions that are carried out on a user account. - -In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications. - -Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md). - -On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md). - -A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below. - -Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings. - -This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts. - -## Administrator account - - -The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled. - -The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions. - -**Account group membership** - -The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic. - -The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups. - -**Security considerations** - -After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings. - -The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode. - -On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources. - -> [!NOTE] -> When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards. - -When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation. - -**Administrator account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-500| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|N/A| -|Default member of|Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.

                        Group Policy Creator Owners, and Schema Admins in Active Directory

                        Domain Users group| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-service administrators?|No| - -## Guest account - - -The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password. - -The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain. - -**Account group membership** - -The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain. - -A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers. - -**Security considerations** - -Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time. - -When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access: - -- Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer. - -- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. - -- Do not use the Guest account when the server has external network access or access to other computers. - -If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution. - -In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed. - -For details about the Guest account attributes, see the following table. - -**Guest account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-501| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Guests, Domain Guests| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - -## HelpAssistant account (installed with a Remote Assistance session) - - -The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. - -HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. - -**Security considerations** - -The SIDs that pertain to the default HelpAssistant account include: - -- SID: S-1-5-``-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services. - -- SID: S-1-5-``-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - -For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. - -For details about the HelpAssistant account attributes, see the following table. - -**HelpAssistant account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-13 (Terminal Server User), S-1-5-``-14 (Remote Interactive Logon)| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Domain Guests

                        Guests| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - - - -## KRBTGT account - - -The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory. - -KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created. - -Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC. - -### KRBTGT account maintenance considerations - -A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets. - -Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. - -After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log. - -### Security considerations - -It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password. - -An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort. - -The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected. - -For all account types (users, computers, and services) - -- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid. - -- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate. - -- NTLM authenticated connections are not affected - -Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected. - -> [!IMPORTANT] -> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer. - -For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/). - -### Read-only domain controllers and the KRBTGT account - -Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy. - -After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller. - -### KRBTGT account attributes - -For details about the KRBTGT account attributes, see the following table. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-502| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users.| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - -## Settings for default local accounts in Active Directory - - -Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table. - -**Settings for default local accounts in Active Directory** - -|Account settings|Description| -|--- |--- | -|User must change password at next logon|Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password.| -|User cannot change password|Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account.| -|Password never expires|Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords.| -|Store passwords using reversible encryption|Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.

                        This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).| -|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.| -|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.

                        When this attribute is applied on the account, the effect is as follows:

                      • The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process
                      • Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.
                      • Accounts with this attribute cannot be used to start services or run scheduled tasks.| -|Account is trusted for delegation|Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.| -|Account is sensitive and cannot be delegated|Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account.| -|Use DES encryption types for this account|Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
                        **Note:** DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](/archive/blogs/askds/hunting-down-des-in-order-to-securely-deploy-kerberos)
                        | -|Do not require Kerberos preauthentication|Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.| - - - -## Manage default local accounts in Active Directory - - -After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools. - -You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner. - -For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). - -You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network. - -You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](/previous-versions/tn-archive/cc677002(v=technet.10)). - -Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object. - -This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts. - -## Restrict and protect sensitive domain accounts - - -Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach: - -- Strictly limit membership to the Administrators, Domain Admins, and Enterprise Admins groups. - -- Stringently control where and how domain accounts are used. - -Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit. - -Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems. When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit. - -Implementing these best practices is separated into the following tasks: - -- [Separate administrator accounts from user accounts](#task1-separate-admin-accounts) - -- [Create dedicated workstation hosts for administrators](#task2-admin-workstations) - -- [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon) - -- [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation) - -Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur. - -### Separate administrator accounts from user accounts - -Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations. Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines: - -- **Privileged account**. Allocate administrator accounts to perform the following administrative duties only: - - - **Minimum**. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers. - - - **Better**. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units (OUs). - - - **Ideal**. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities. - -- **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights. - -> [!IMPORTANT] -> Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section. - - - -### Create dedicated workstation hosts without Internet and email access - -Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts). - -> [!NOTE] -> If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task. - - - -- **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access: - - - Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet. - - - Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations. - - - Block outbound access to the boundary proxy servers in the Windows Firewall. - - The instructions for meeting this minimum requirement are described in the following procedure. - -- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections. - -- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](/windows/device-security/applocker/applocker-overview). - -The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings. - -> [!NOTE] -> In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure. - -**To install administrative workstations in a domain and block Internet and email access (minimum)** - -1. As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations. - -2. Create computer accounts for the new workstations. - - > [!NOTE] - > You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). - - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) - -3. Close Active Directory Users and Computers. - -4. Start the **Group Policy Management** Console (GPMC). - -5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**. - - ![Active Directory's local accounts](images/adlocalaccounts-proc1-sample2.png) - -6. Name the GPO, and > **OK**. - -7. Expand the GPO, right-click the new GPO, and > **Edit**. - - ![Active Directory (AD) local accounts](images/adlocalaccounts-proc1-sample3.png) - -8. Configure which members of accounts can log on locally to these administrative workstations as follows: - - 1. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**. - - 2. Double-click **Allow log on locally**, and then select the **Define these policy settings** check box. - - 3. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 4. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - > [!IMPORTANT] - > These instructions assume that the workstation is to be dedicated to domain administrators. - - - - 5. Click **Add User or Group**, type **Administrators**, and > **OK**. - - ![AD local accounts](images/adlocalaccounts-proc1-sample4.png) - -9. Configure the proxy configuration: - - 1. Navigate to User Configuration\\Policies\\Windows Settings\\Internet Explorer, and > **Connection**. - - 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**. - - ![AD's local accounts](images/adlocalaccounts-proc1-sample5.png) - -10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows: - - 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\System, and > **Group Policy**. - - 2. Double-click **User Group Policy loopback policy processing mode**, and > **Enabled**. - - 3. Select **Merge Mode**, and > **OK**. - -11. Configure software updates as follows: - - 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\Windows Components, and then click **Windows Update**. - - 2. Configure Windows Update settings as described in the following table. - - |Windows Update Setting|Configuration| - |--- |--- | - |Allow Automatic Updates immediate installation|Enabled| - |Configure Automatic Updates|Enabled4 - Auto download and schedule the installation0 - Every day 03:00| - |Enable Windows Update Power Management to automatically wake up the system to install scheduled updates|Enabled| - |Specify intranet Microsoft Update service location|Enabled `http:// http://` Where `` is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.| - |Automatic Updates detection frequency|6 hours| - |Re-prompt for restart with scheduled installations|1 minute| - |Delay restart for scheduled installations|5 minutes| - - > [!NOTE] - > This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates. - -12. Configure the inbound firewall to block all connections as follows: - - 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**. - - ![Local accounts for Active Directory](images/adlocalaccounts-proc1-sample6.png) - - 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**. - - ![Local accounts for an AD](images/adlocalaccounts-proc1-sample7.png) - - 3. Click **OK** to complete the configuration. - -13. Close the Group Policy Management Console. - -14. Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain. - -### Restrict administrator logon access to servers and workstations - -It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer. - -> [!IMPORTANT] -> Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation. - - - -Restrict logon access to lower-trust servers and workstations by using the following guidelines: - -- **Minimum**. Restrict domain administrators from having logon access to servers and workstations. Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them. - -- **Better**. Restrict domain administrators from non-domain controller servers and workstations. - -- **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators. - -> [!NOTE] -> For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations) - - - -**To restrict domain administrators from workstations (minimum)** - -1. As a domain administrator, open the Group Policy Management Console (GPMC). - -2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\``, and then expand to **Group Policy Objects**. - -3. Right-click **Group Policy Objects**, and > **New**. - - ![Local account's representation - Active Directory](images/adlocalaccounts-proc2-sample1.png) - -4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**. - - ![Local account's representation - AD](images/adlocalaccounts-proc2-sample2.png) - -5. Right-click **New GPO**, and > **Edit**. - -6. Configure user rights to deny logon locally for domain administrators. - -7. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**, and perform the following: - - 1. Double-click **Deny logon locally**, and > **Define these policy settings**. - - 2. Click **Add User or Group**, click **Browse**, type **Enterprise Admins**, and > **OK**. - - 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**. - - ![An Active Directory's local accounts](images/adlocalaccounts-proc2-sample3.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - - 4. Click **OK** to complete the configuration. - -8. Configure the user rights to deny batch and service logon rights for domain administrators as follows: - - > [!NOTE] - > Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services. - - - - 1. Double-click **Deny logon as a batch job**, and > **Define these policy settings**. - - 2. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - ![An AD's local accounts](images/adlocalaccounts-proc2-sample4.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - - 4. Double-click **Deny logon as a service**, and > **Define these policy settings**. - - 5. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - ![Local accounts for AD](images/adlocalaccounts-proc2-sample5.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - -9. Link the GPO to the first Workstations OU. - - Navigate to the *<forest>*\\Domains\\``\\OU Path, and then: - - 1. Right-click the workstation OU, and then > **Link an Existing GPO**. - - ![Local accounts representation for an Active Directory](images/adlocalaccounts-proc2-sample6.png) - - 2. Select the GPO that you just created, and > **OK**. - - ![Active Directory's local accounts' presentation](images/adlocalaccounts-proc2-sample7.png) -======= - ![Active Directory local accounts 13](images/adlocalaccounts-proc2-sample6.png) - - 2. Select the GPO that you just created, and > **OK**. - - ![Active Directory local accounts 14](images/adlocalaccounts-proc2-sample7.png) - -10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy. - -11. Link all other OUs that contain workstations. - - However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations). - - > [!IMPORTANT] - > If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators. - - - -### Disable the account delegation right for sensitive administrator accounts - -Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation. This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network. - -For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise. - -It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the **Account is sensitive and cannot be delegated** check box under **Account options** to prevent these accounts from being delegated. For more information, see [Setting for default local accounts in Active Directory](#sec-account-settings). - -As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. - -![An Active Directory local accounts' presentation](images/adlocalaccounts-proc3-sample1.png) - -## Secure and manage domain controllers - - -It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers: - -1. Run only required software - -2. Required software is regularly updated - -3. Are configured with the appropriate security settings - -One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections. - -Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users. When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest. - -In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service. The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort. - -## See also - -- [Security Principals](security-principals.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md deleted file mode 100644 index 2ec117c8b9..0000000000 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ /dev/null @@ -1,1435 +0,0 @@ ---- -title: Active Directory Security Groups -description: Active Directory Security Groups -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 09/21/2021 ---- - -# Active Directory Security Groups - -**Applies to** -- Windows Server 2016 or later -- Windows 10 or later - -This reference topic for the IT professional describes the default Active Directory security groups. - -## - - -There are two forms of common security principals in Active Directory: user accounts and computer accounts. These accounts represent a physical entity (a person or a computer). User accounts can also be used as dedicated service accounts for some applications. Security groups are used to collect user accounts, computer accounts, and other groups into manageable units. - -In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there are two types of administrative responsibilities: - -- **Service administrators**   Responsible for maintaining and delivering Active Directory Domain Services (AD DS), including managing domain controllers and configuring the AD DS. - -- **Data administrators**   Responsible for maintaining the data that is stored in AD DS and on domain member servers and workstations. - -## About Active Directory groups - - -Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration. - -There are two types of groups in Active Directory: - -- **Distribution groups** Used to create email distribution lists. - -- **Security groups** Used to assign permissions to shared resources. - -### Distribution groups - -Distribution groups can be used only with email applications (such as Exchange Server) to send email to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs). - -### Security groups - -Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can: - -- Assign user rights to security groups in Active Directory. - - User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain. - - For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group. - - You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment). - -- Assign permissions to security groups for resources. - - Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators group or the Domain Admins group. - - Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group. - -Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all the members of the group. - -### Group scope - -Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of the group defines where the group can be granted permissions. The following three group scopes are defined by Active Directory: - -- Universal - -- Global - -- Domain Local - -> [!NOTE] -> In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed. - - - -The following table lists the three group scopes and more information about each scope for a security group. - -**Group scopes** - -|Scope|Possible Members|Scope Conversion|Can Grant Permissions|Possible Member of| -|--- |--- |--- |--- |--- | -|Universal|Accounts from any domain in the same forest

                        Global groups from any domain in the same forest

                        Other Universal groups from any domain in the same forest|Can be converted to

                        Domain Local scope if the group is not a member of any other Universal groups

                        Can be converted to Global scope if the group does not contain any other Universal groups|On any domain in the same forest or trusting forests|Other Universal groups in the same forest

                        Domain

                        Local groups in the same forest or trusting forests

                        Local groups on computers in the same forest or trusting forests| -|Global|Accounts from the same domain

                        Other Global groups from the same domain|Can be converted to Universal scope if the group is not a member of any other global group|On any domain in the same forest, or trusting domains or forests|Universal groups from any domain in the same forest

                        Other Global groups from the same domain

                        Domain Local groups from any domain in the same forest, or from any trusting domain| -|Domain Local|Accounts from any domain or any trusted domain

                        Global groups from any domain or any trusted domain

                        Universal groups from any domain in the same forest

                        Other Domain Local groups from the same domain

                        Accounts, Global groups, and Universal groups from other forests and from external domains|Can be converted to Universal scope if the group does not contain any other Domain Local groups|Within the same domain|Other Domain Local groups from the same domain

                        Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs| - -### Special identity groups - -Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User. - -For information about all the special identity groups, see [Special Identities](special-identities.md). - -## Default security groups - - -Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles. - -Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain. - -When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources. - -Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains. - -Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings. - -The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts. - -### Active Directory default security groups by operating system version - -The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system. - -|Default Security Group|Windows Server 2016|Windows Server 2012 R2|Windows Server 2012|Windows Server 2008 R2| -|--- |--- |--- |--- |--- | -|[Access Control Assistance Operators](#bkmk-acasstops)|Yes|Yes|Yes|| -|[Account Operators](#bkmk-accountoperators)|Yes|Yes|Yes|Yes| -|[Administrators](#bkmk-admins)|Yes|Yes|Yes|Yes| -|[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)|Yes|Yes|Yes|Yes| -|[Backup Operators](#bkmk-backupoperators)|Yes|Yes|Yes|Yes| -|[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)|Yes|Yes|Yes|Yes| -|[Cert Publishers](#bkmk-certpublishers)|Yes|Yes|Yes|Yes| -|[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)|Yes|Yes|Yes|| -|[Cryptographic Operators](#bkmk-cryptographicoperators)|Yes|Yes|Yes|Yes| -|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|Yes|Yes|Yes|Yes| -|[Device Owners](#bkmk-device-owners)|Yes|Yes|Yes|Yes| -|[Distributed COM Users](#bkmk-distributedcomusers)|Yes|Yes|Yes|Yes| -|[DnsUpdateProxy](#bkmk-dnsupdateproxy)|Yes|Yes|Yes|Yes| -|[DnsAdmins](#bkmk-dnsadmins)|Yes|Yes|Yes|Yes| -|[Domain Admins](#bkmk-domainadmins)|Yes|Yes|Yes|Yes| -|[Domain Computers](#bkmk-domaincomputers)|Yes|Yes|Yes|Yes| -|[Domain Controllers](#bkmk-domaincontrollers)|Yes|Yes|Yes|Yes| -|[Domain Guests](#bkmk-domainguests)|Yes|Yes|Yes|Yes| -|[Domain Users](#bkmk-domainusers)|Yes|Yes|Yes|Yes| -|[Enterprise Admins](#bkmk-entadmins)|Yes|Yes|Yes|Yes| -|[Enterprise Key Admins](#enterprise-key-admins)|Yes|||| -|[Enterprise Read-only Domain Controllers](#bkmk-entrodc)|Yes|Yes|Yes|Yes| -|[Event Log Readers](#bkmk-eventlogreaders)|Yes|Yes|Yes|Yes| -|[Group Policy Creator Owners](#bkmk-gpcreatorsowners)|Yes|Yes|Yes|Yes| -|[Guests](#bkmk-guests)|Yes|Yes|Yes|Yes| -|[Hyper-V Administrators](#bkmk-hypervadministrators)|Yes|Yes|Yes|| -|[IIS_IUSRS](#bkmk-iis-iusrs)|Yes|Yes|Yes|Yes| -|[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)|Yes|Yes|Yes|Yes| -|[Key Admins](#key-admins)|Yes|||| -|[Network Configuration Operators](#bkmk-networkcfgoperators)|Yes|Yes|Yes|Yes| -|[Performance Log Users](#bkmk-perflogusers)|Yes|Yes|Yes|Yes| -|[Performance Monitor Users](#bkmk-perfmonitorusers)|Yes|Yes|Yes|Yes| -|[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)|Yes|Yes|Yes|Yes| -|[Print Operators](#bkmk-printoperators)|Yes|Yes|Yes|Yes| -|[Protected Users](#bkmk-protectedusers)|Yes|Yes||| -|[RAS and IAS Servers](#bkmk-rasandias)|Yes|Yes|Yes|Yes| -|[RDS Endpoint Servers](#bkmk-rdsendpointservers)|Yes|Yes|Yes|| -|[RDS Management Servers](#bkmk-rdsmanagementservers)|Yes|Yes|Yes|| -|[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)|Yes|Yes|Yes|| -|[Read-only Domain Controllers](#bkmk-rodc)|Yes|Yes|Yes|Yes| -|[Remote Desktop Users](#bkmk-remotedesktopusers)|Yes|Yes|Yes|Yes| -|[Remote Management Users](#bkmk-remotemanagementusers)|Yes|Yes|Yes|| -|[Replicator](#bkmk-replicator)|Yes|Yes|Yes|Yes| -|[Schema Admins](#bkmk-schemaadmins)|Yes|Yes|Yes|Yes| -|[Server Operators](#bkmk-serveroperators)|Yes|Yes|Yes|Yes| -|[Storage Replica Administrators](#storage-replica-administrators)|Yes|||| -|[System Managed Accounts Group](#system-managed-accounts-group)|Yes|||| -|[Terminal Server License Servers](#bkmk-terminalserverlic)|Yes|Yes|Yes|Yes| -|[Users](#bkmk-users)|Yes|Yes|Yes|Yes| -|[Windows Authorization Access Group](#bkmk-winauthaccess)|Yes|Yes|Yes|Yes| -|[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)||Yes|Yes|| - -### Access Control Assistance Operators - -Members of this group can remotely query authorization attributes and permissions for resources on the computer. - -The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-579| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Account Operators - -The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers. - -Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights. - -The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved. - - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-548| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - - - -### Administrators - -Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain. - -The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. - -Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain. - - - -This security group includes the following changes since Windows Server 2008: - -- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services). - -- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-544| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|Administrator, Domain Admins, Enterprise Admins| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege

                        [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

                        [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

                        [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight

                        [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

                        [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege

                        [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

                        [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege

                        [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege

                        [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege

                        [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege

                        [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege

                        [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege

                        [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege

                        [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege

                        [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege

                        [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight

                        [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege

                        [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege

                        [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege

                        [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege

                        [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege

                        [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege

                        [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

                        [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege

                        [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege| - -### Allowed RODC Password Replication Group - -The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group. - -The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-571| -|Type|Domain local| -|Default container|CN=Users DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Backup Operators - -Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators. - -The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-551| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

                        [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

                        [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight

                        [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

                        [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - - - -### Certificate Service DCOM Access - -Members of this group are allowed to connect to certification authorities in the enterprise. - -The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-<domain>-574| -|Type|Domain Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### Cert Publishers - -Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory. - -The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-517| -|Type|Domain Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Cloneable Domain Controllers - -Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group). - -For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-522| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Cryptographic Operators - -Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. - -The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-569| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - - -### Denied RODC Password Replication Group - -Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. - -The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl). - -This security group includes the following changes since Windows Server 2008: - -- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-572| -|Type|Domain local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|[Cert Publishers](#bkmk-certpublishers)

                        [Domain Admins](#bkmk-domainadmins)

                        [Domain Controllers](#bkmk-domaincontrollers)

                        [Enterprise Admins](#bkmk-entadmins)

                        Group Policy Creator Owners

                        [Read-only Domain Controllers](#bkmk-rodc)

                        [Schema Admins](#bkmk-schemaadmins)| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### Device Owners -This group is not currently used in Windows. - -Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group. - -The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-583| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out but it is not recommended| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

                        [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

                        [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege| - -### Distributed COM Users - -Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-562| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### DnsUpdateProxy - -Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario. - -However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For information, see [DNS Record Ownership and the DnsUpdateProxy Group](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### DnsAdmins - -Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For more information about security and DNS, see [DNSSEC in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593694(v=ws.11)). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Builtin Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Domain Admins - -Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. - -The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain. - -The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-512| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Administrators](#bkmk-admins)

                        [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Administrators](#bkmk-admins)

                        See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - - - -### Domain Computers - -This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group. - -The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-515| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|All computers joined to the domain, excluding domain controllers| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes (but not required)| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Domain Controllers - -The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group. - -The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-516| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Computer accounts for all domain controllers of the domain| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|No| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Domain Guests - -The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer. - -The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-514| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Guest| -|Default member of|[Guests](#bkmk-guests)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Can be moved out but it is not recommended| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Guests](#bkmk-guests)| - -### Domain Users - -The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group. - -By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer). - -The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-513| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator -krbtgt| -|Default member of|[Users](#bkmk-users)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Users](#bkmk-users)| - -### Enterprise Admins - -The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains. - -By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account. - -The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-519| -|Type|Universal (if Domain is in Native-Mode) else Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Administrators](#bkmk-admins) -[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Administrators](#bkmk-admins)

                        See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Enterprise Key Admins - -Members of this group can perform administrative actions on key objects within the forest. - -The Enterprise Key Admins group was introduced in Windows Server 2016. - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-21-<domain>-527 | -| Type | Global | -| Default container | CN=Users, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | Yes | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - -### Enterprise Read-Only Domain Controllers - -Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller. - -Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it. - -For more information, see [What Is an RODC?](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)). - -The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-498| -|Type|Universal| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Event Log Readers - -Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. - -The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-573| -|Type|Domain Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Group Policy Creator Owners - -This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. - -For information about other features you can use with this security group, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). - -The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-520| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|No| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Guests - -Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account. - -When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path: - -Computer Configuration\\Administrative Templates\\System\\User Profiles - -> [!NOTE] -> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account. - -The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled. - -The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-546| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|[Domain Guests](#bkmk-domainguests)| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - - -### Hyper-V Administrators - -Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access. - -> [!NOTE] -> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group. - - - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-578| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### IIS\_IUSRS - -IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS. - -For more information, see [Understanding Built-In User and Group Accounts in IIS 7](/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-568| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|IUSR| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Incoming Forest Trust Builders - -Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account. - -To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - - -For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)). - -The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-557| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Key Admins - -Members of this group can perform administrative actions on key objects within the domain. - -The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-21-<domain>-526 | -| Type | Global | -| Default container | CN=Users, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | Yes | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### Network Configuration Operators - -Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features: - -- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers. - -- Rename the LAN connections or remote access connections that are available to all the users. - -- Enable or disable a LAN connection. - -- Modify the properties of all of remote access connections of users. - -- Delete all the remote access connections of users. - -- Rename all the remote access connections of users. - -- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands. - -- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-556| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Performance Log Users - -Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group: - -- Can use all the features that are available to the Performance Monitor Users group. - -- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. - - > [!WARNING] - > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. - - > [!NOTE] - > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group. - > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied. - -- Cannot use the Windows Kernel Trace event provider in Data Collector Sets. - -For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This account cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-559| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight| - - - -### Performance Monitor Users - -Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways. - -Specifically, members of this security group: - -- Can use all the features that are available to the Users group. - -- Can view real-time performance data in Performance Monitor. - - Can change the Performance Monitor display properties while viewing data. - -- Cannot create or modify Data Collector Sets. - - > [!WARNING] - > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group. - - - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved. - - - -The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-558| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - - -### Pre–Windows 2000 Compatible Access - -Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier. - -> [!WARNING] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-554| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - - - -### Print Operators - -Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. - -This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved. - -The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj190062(v=ws.11)). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-550| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

                        [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege

                        [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - -### Protected Users - -Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. - -This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. - -This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer. - -Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows. - -- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group. - -- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite. - -- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group. - -- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again. - -The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)). - -The following table specifies the properties of the Protected Users group. - -|Attribute|Value| -|--- |--- | -|Well-known SID/RID|S-1-5-21-<domain>-525| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-service admins?|No| -|Default user rights|None| - -### RAS and IAS Servers - -Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. - -The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-553| -|Type|Builtin Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### RDS Endpoint Servers - -Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. - -For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-576| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### RDS Management Servers - -Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-577| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### RDS Remote Access Servers - -Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. - -For more information, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-575| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Read-Only Domain Controllers - -This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. - -Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: - -- Read-only AD DS database - -- Unidirectional replication - -- Credential caching - -- Administrator role separation - -- Read-only Domain Name System (DNS) - -For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754719(v=ws.10)). - -This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-521| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Remote Desktop Users - -The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-555| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - - - - -### Remote Management Users - -Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. - -The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands. - -For more information, see [What's New in MI?](/previous-versions/windows/desktop/wmi_v2/what-s-new-in-mi) and [About WMI](/windows/win32/wmisdk/about-wmi). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-580| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Replicator - -Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites. - -> [!WARNING] -> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers. - -However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see: - -- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](/windows/win32/win7appqual/file-replication-service--frs--is-deprecated-in-windows-server-2008-r2) -- [DFS Namespaces and DFS Replication Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127250(v=ws.11)) - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-552| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Schema Admins - -Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. - -The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. - -The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory. - -For more information, see [What Is the Active Directory Schema?: Active Directory](/previous-versions/windows/it-pro/windows-server-2003/cc784826(v=ws.10)). - -The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-518| -|Type|Universal (if Domain is in Native-Mode) else Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Server Operators - -Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. - -By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. - -The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-549| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

                        [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

                        [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege

                        [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

                        [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege

                        [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege

                        [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - -### Storage Replica Administrators - -Members of this group have complete and unrestricted access to all features of Storage Replica. - -The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-32-582 | -| Type | Builtin Local | -| Default container | CN=BuiltIn, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | No | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### System Managed Accounts Group - -Members of this group are managed by the system. - -The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-32-581 | -| Type | Builtin Local | -| Default container | CN=BuiltIn, DC=<domain>, DC= | -| Default members | Users | -| Default member of | None | -| Protected by ADMINSDHOLDER? | No | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### Terminal Server License Servers - -Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -For more information about this security group, see [Terminal Services License Server Security Group Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775331(v=ws.10)). - -The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - - -This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-561| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Safe to move out of default container?|Cannot be moved| -|Protected by ADMINSDHOLDER?|No| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Users - -Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. - -Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved. - -The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group includes the following changes since Windows Server 2008: - -- In Windows Server 2008 R2, INTERACTIVE was added to the default members list. - -- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-545| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|Authenticated Users

                        [Domain Users](#bkmk-domainusers)

                        INTERACTIVE| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Windows Authorization Access Group - -Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-560| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|Enterprise Domain Controllers| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default user rights|None| - -### WinRMRemoteWMIUsers\_ - -In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running. - -The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -- If the file share is hosted on a server that is running a supported version of the operating system: - - - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group. - - - You must have Read permissions to the file share. - -- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012: - - - You must be a member of the BUILTIN\\Administrators group. - - - You must have Read permissions to the file share. - -In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions. - -> [!NOTE] -> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console. - - - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Domain local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -## See also - -- [Security Principals](security-principals.md) - -- [Special Identities](special-identities.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md deleted file mode 100644 index c68a4e721f..0000000000 --- a/windows/security/identity-protection/access-control/dynamic-access-control.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Dynamic Access Control Overview (Windows 10) -description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -ms.reviewer: ---- - -# Dynamic Access Control Overview - -**Applies to** -- Windows Server 2016 - -This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. - -Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources. - -For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview). - -Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes. - -Features and concepts associated with Dynamic Access Control include: - -- [Central access rules](#bkmk-rules) - -- [Central access policies](#bkmk-policies) - -- [Claims](#bkmk-claims) - -- [Expressions](#bkmk-expressions2) - -- [Proposed permissions](#bkmk-permissions2) - -### Central access rules - -A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy. - -If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements. - -### Central access policies - -Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to: - -- Identify and mark the files that contain the PII. - -- Identify the group of HR members who are allowed to view the PII information. - -- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization. - -Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders. - -### Claims - -A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows: - -- **User claims**   Active Directory attributes that are associated with a specific user. - -- **Device claims**   Active Directory attributes that are associated with a specific computer object. - -- **Resource attributes**  Global resource properties that are marked for use in authorization decisions and published in Active Directory. - -Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies. - -### Expressions - -Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC). - -Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments. - -### Proposed permissions - -Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them. - -Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes. - -## Additional changes - - -Additional enhancements in the supported versions of Windows that support Dynamic Access Control include: - -### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups. - -By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control. - -### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain. - -Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**. - -### Support in Active Directory to store user and device claims, resource properties, and central access policy objects. - -### Support for using Group Policy to deploy central access policy objects. - -The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**. - -### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing - -You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network. - -### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts - -You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims: - -- **Value-based filtering**  Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest. - -- **Claim type-based filtering**  Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest. - -- **Claim type-based transformation**  Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both. - -## Software requirements - - -Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions: - -- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server. - -- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control. - -For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows: - -- **Always provide claims**   Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher. - -- **Supported**   When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control. - -If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level. - -If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests. - -If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level. - -A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server. - -## See also - -- [Access control overview](access-control.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 655ef0f5b4..cf62379ed8 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -2,36 +2,33 @@ title: Local Accounts (Windows 10) description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium -ms.date: 02/28/2019 +ms.date: 06/17/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Local Accounts -**Applies to** -- Windows 11 -- Windows 10 -- Windows Server 2019 -- Windows Server 2016 - -This reference topic for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. +This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. ## About local user accounts Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. -This topic describes the following: +This article describes the following: - [Default local user accounts](#sec-default-accounts) @@ -61,9 +58,9 @@ For information about security principals, see [Security Principals](security-pr The default local user accounts are built-in accounts that are created automatically when you install Windows. -After Windows is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources. +After Windows is installed, the default local user accounts can't be removed or deleted. In addition, default local user accounts don't provide access to network resources. -Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this topic. +Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this article. Default local user accounts are described in the following sections. @@ -73,23 +70,23 @@ The default local Administrator account is a user account for the system adminis The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions. -The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. +The default Administrator account can't be deleted or locked out, but it can be renamed or disabled. From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** -By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer. +By default, the Administrator account is installed as a member of the Administrators group on the server. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer. -The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed. +The Administrator account can't be deleted or removed from the Administrators group, but it can be renamed. **Security considerations** -Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer. +Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer. You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732112(v=ws.11)) and [Rename a local user account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725595(v=ws.11)). -As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)). +As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Don't use the Administrator account to sign in to your computer unless it's entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)). In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers. @@ -103,7 +100,7 @@ In this case, Group Policy can be used to enable secure settings that can contro ### Guest account -The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary. +The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it's a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is entirely necessary. **Account group membership** @@ -111,26 +108,26 @@ By default, the Guest account is the only member of the default Guests group (SI **Security considerations** -When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account should not be used over the network and made accessible to other computers. +When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers. -In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. +In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user. ## HelpAssistant account (installed with a Remote Assistance session) The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. -HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. +HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. **Security considerations** The SIDs that pertain to the default HelpAssistant account include: -- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services. +- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. - SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. -For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. +For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used. For details about the HelpAssistant account attributes, see the following table. @@ -144,14 +141,14 @@ For details about the HelpAssistant account attributes, see the following table. |Default members|None| |Default member of|Domain Guests

                        Guests| |Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| +|Safe to move out of default container?|Can be moved out, but we don't recommend it.| |Safe to delegate management of this group to non-Service admins?|No| ### DefaultAccount The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. The DSMA is a well-known user account type. -It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. +It's a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\-503 @@ -171,24 +168,24 @@ Today, Xbox automatically signs in as Guest account and all apps run in this con All the apps are multi-user-aware and respond to events fired by user manager. The apps run as the Guest account. -Similarly, Phone auto logs in as a “DefApps” account which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. +Similarly, Phone auto logs in as a “DefApps” account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. For this purpose, the system creates DSMA. #### How the DefaultAccount gets created on domain controllers -If the domain was created with domain controllers that run Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain. -If the domain was created with domain controllers that run an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain. +If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain. +If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain. #### Recommendations for managing the Default Account (DSMA) -Microsoft does not recommend changing the default configuration, where the account is disabled. There is no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. +Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. ## Default local system accounts ### SYSTEM -The SYSTEM account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account’s user rights. It is an internal account that does not show up in User Manager, and it cannot be added to any groups. +The SYSTEM account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account’s user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account. @@ -204,22 +201,22 @@ The LOCAL SERVICE account is a predefined local account used by the service cont ## How to manage local user accounts -The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). +The default local user accounts, and the local user accounts you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). -You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner. +You can use Local Users and Groups to assign rights and permissions on only the local server to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner. -You cannot use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network. +You can't use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that aren't domain controllers on the network. > [!NOTE] > You use Active Directory Users and Computers to manage users and groups in Active Directory. -You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies. +You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using various PowerShell cmdlets and other scripting technologies. ### Restrict and protect local accounts with administrative rights -An administrator can use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called "lateral movement". +An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement". -The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor. When you want to perform an administrative task, for example, to install a new program or to change a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section. +The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section. The other approaches that can be used to restrict and protect user accounts with administrative rights include: @@ -244,16 +241,18 @@ UAC makes it possible for an account with administrative rights to be treated as In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session. -For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration. +For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it's issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon can't access administrative shares such as C$, or ADMIN$, or perform any remote administration. For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview). The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access. + + |No.|Setting|Detailed Description| |--- |--- |--- | ||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options| -|1|Policy name|[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)| +|1|Policy name|[User Account Control: Admin Approval Mode for the Built-in Administrator account](/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account)| ||Policy setting|Enabled| |2|Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options| ||Policy name|[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)| @@ -266,7 +265,6 @@ The following table shows the Group Policy and registry settings that are used t > [!NOTE] > You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. - #### To enforce local account restrictions for remote access 1. Start the **Group Policy Management** Console (GPMC). @@ -285,7 +283,7 @@ The following table shows the Group Policy and registry settings that are used t ![local accounts 3.](images/localaccounts-proc1-sample3.png) -6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following: +6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**. @@ -293,7 +291,7 @@ The following table shows the Group Policy and registry settings that are used t 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**. -7. Ensure that the local account restrictions are applied to network interfaces by doing the following: +7. Ensure that the local account restrictions are applied to network interfaces by following these steps: 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**. @@ -305,7 +303,7 @@ The following table shows the Group Policy and registry settings that are used t 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**. - 5. Click (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. + 5. Select (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**. @@ -325,7 +323,7 @@ The following table shows the Group Policy and registry settings that are used t ![local accounts 6.](images/localaccounts-proc1-sample6.png) - 3. Select the GPO that you just created, and > **OK**. + 3. Select the GPO that you created, and > **OK**. 9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. @@ -335,7 +333,7 @@ The following table shows the Group Policy and registry settings that are used t ### Deny network logon to all local Administrator accounts -Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot be used to compromise additional computers that use the same credentials. +Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials. > [!NOTE] > To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group. @@ -361,7 +359,7 @@ The following table shows the Group Policy settings that are used to deny networ 3. In the console tree, right-click **Group Policy Objects**, and > **New**. -4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer. +4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer. ![local accounts 7.](images/localaccounts-proc2-sample1.png) @@ -375,15 +373,15 @@ The following table shows the Group Policy settings that are used to deny networ 2. Double-click **Deny access to this computer from the network**. - 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. + 3. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. 7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: - 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**. + 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**. 2. Double-click **Deny log on through Remote Desktop Services**. - 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. + 3. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. 8. Link the GPO to the first **Workstations** OU as follows: @@ -391,7 +389,7 @@ The following table shows the Group Policy settings that are used to deny networ 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - 3. Select the GPO that you just created, and > **OK**. + 3. Select the GPO that you created, and > **OK**. 9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. @@ -405,9 +403,9 @@ The following table shows the Group Policy settings that are used to deny networ ### Create unique passwords for local accounts with administrative rights -Passwords should be unique per individual account. While this is generally true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments. +Passwords should be unique per individual account. While it's true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments. -Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hampers the ability of malicious users to use password hashes of those accounts to compromise other computers. +Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hamper the ability of malicious users to use password hashes of those accounts to compromise other computers. Passwords can be randomized by: diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md deleted file mode 100644 index 992afda9d6..0000000000 --- a/windows/security/identity-protection/access-control/microsoft-accounts.md +++ /dev/null @@ -1,190 +0,0 @@ ---- -title: Microsoft Accounts (Windows 10) -description: Microsoft Accounts -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: ---- - -# Microsoft Accounts - -**Applies to** -- Windows 10 - -This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization. - -Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password. - -When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices. - -## How a Microsoft account works - -The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials. - -When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed. - -**Important**   -Local Windows account functionality has not been removed, and it is still an option to use in managed environments. - -### How Microsoft accounts are created - -To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped. - -Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise. - -There are two methods for creating a Microsoft account: - -- **Use an existing email address**. - - Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords. - -- **Sign up for a Microsoft email address**. - - Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts. - -### How the Microsoft account information is safeguarded - -Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services. - -- **Strong password is required**. - - Blank passwords are not allowed. - - For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9). - -- **Secondary proof of identity is required**. - - Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings. - -- **All user profile data is encrypted on the client before it is transmitted to the cloud**. - - User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol. - -**Microsoft account security information is added**. - -Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date. - -## The Microsoft account in the enterprise - - -Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages. - -- **Download Microsoft Store apps**: - - If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT. - -- **Single sign-on**: - - Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions. - -- **Personalized settings synchronization**: - - Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device. - -- **App synchronization**: - - Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed. - -- **Integrated social media services**: - - Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr. - -### Managing the Microsoft account in the domain - -Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise: - -- [Restrict the use of the Microsoft account](#bkmk-restrictuse) - -- [Configure connected accounts](#bkmk-cfgconnectedaccounts) - -- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts) - -- [Audit account activity](#bkmk-audit) - -- [Perform password resets](#bkmk-passwordresets) - -- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage) - -### Restrict the use of the Microsoft account - -The following Group Policy settings help control the use of Microsoft accounts in the enterprise: - -- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication) -- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts) - -#### Block all consumer Microsoft account user authentication - -This setting controls whether users can provide Microsoft accounts for authentication for applications or services. - -If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. -This applies both to existing users of a device and new users who may be added. - -However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. -It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. - -If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. -By default, this setting is **Disabled**. - -This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. - -The path to this setting is: - -Computer Configuration\Administrative Templates\Windows Components\Microsoft account - -#### Accounts: Block Microsoft accounts - -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. - -There are two options if this setting is enabled: - -- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). -- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. - -This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services). - -By default, this setting is **Not defined**. - -The path to this setting is: - -Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - -### Configure connected accounts - -Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices. - -Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**. - -**Note**   -Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account. - -### Provision Microsoft accounts in the enterprise - -Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts. - -### Audit account activity - -Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain. - -### Perform password resets - -Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com). - -### Restrict app installation and usage - -Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker). - -## See also - -- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj884082(v=ws.11)) - -- [Access Control Overview](access-control.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md deleted file mode 100644 index 8564378d9c..0000000000 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ /dev/null @@ -1,335 +0,0 @@ ---- -title: Security identifiers (Windows 10) -description: Security identifiers -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 ---- - -# Security identifiers - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - -This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. - -## What are security identifiers? - -A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. - -Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group. - -Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer. - -In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems. - -SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment. - -The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic. - -## How security identifiers work - -Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused. - -The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services. - -For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise. - -SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals. - -## Security identifier architecture - -A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID. - -![Security identifier architecture.](images/security-identifider-architecture.jpg) - -The individual values of a SID are described in the following table. - -| Comment | Description | -| - | - | -| Revision | Indicates the version of the SID structure that is used in a particular SID. | -| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). | -| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. | - -The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation: -``` -S-R-X-Y1-Y2-Yn-1-Yn -``` - -In this notation, the components of a SID are represented as shown in the following table. - -| Comment | Description | -| - | - | -| S | Indicates that the string is a SID | -| R | Indicates the revision level | -| X | Indicates the identifier authority value | -| Y | Represents a series of subauthority values, where *n* is the number of values | - -The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier. - -The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier. - -For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string: - -``` -S-1-5-32-544 -``` - -This SID has four components: - -- A revision level (1) - -- An identifier authority value (5, NT Authority) - -- A domain identifier (32, Builtin) - -- A relative identifier (544, Administrators) - -SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one. - -Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544. - -In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins): - -``` -S-1-5-21-1004336348-1177238915-682003330-512 -``` - -The SID for Contoso\\Domain Admins has: - -- A revision level (1) - -- An identifier authority (5, NT Authority) - -- A domain identifier (21-1004336348-1177238915-682003330, Contoso) - -- A relative identifier (512, Domain Admins) - -The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512. - -## Relative identifier allocation - -When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again. - -In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation. - -The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master. - -Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier. - -## Security identifiers and globally unique identifiers - -When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property. - -Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life. - -If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes. - -When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access. - -If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others. - -However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID. - -## Well-known SIDs - -The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups. - -There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems. - -The following table lists the universal well-known SIDs. - -| Value | Universal Well-Known SID | Identifies | -| - | - | - | -| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.| -| S-1-1-0 | World | A group that includes all users. | -| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. | -| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. | -| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. | -| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. | -| S-1-3-2 | Creator Owner Server | | -| S-1-3-3 | Creator Group Server | | -| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. | -| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. | -| S-1-5 | NT Authority | A SID that represents an identifier authority. | -| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| - -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. - -| Identifier Authority | Value | SID String Prefix | -| - | - | - | -| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 | -| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | -| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | -| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | -| SECURITY_NT_AUTHORITY | 5 | S-1-5 | -| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 | - -The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. - -| Relative Identifier Authority | Value | Identifier Authority | -| - | - | - | -| SECURITY_NULL_RID | 0 | S-1-0 | -| SECURITY_WORLD_RID | 0 | S-1-1 | -| SECURITY_LOCAL_RID | 0 | S-1-2 | -| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 | -| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 | - -The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs. - -| SID | Display Name | Description | -| - | - | - | -| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.| -| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.| -| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. | -| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| -| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| -| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| -| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
                        The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| -| S-1-5-8| Proxy| Does not currently apply: this SID is not used.| -| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| -| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| -| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
                        This group includes authenticated security principals from any trusted domain, not only the current domain.| -| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.| -| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| -| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| -| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| -| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.| -| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
                        System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
                        When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| -| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| -| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| -| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
                        The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
                        By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.| -| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
                        By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
                        Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.| -| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.| -| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
                        Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.| -| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.| -| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.| -| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.| -| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.| -| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
                        Cert Publishers are authorized to publish certificates for User objects in Active Directory.| -| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.| -| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
                        The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
                        By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. | -| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
                        Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| -| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
                        Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| -| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| -| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| -| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| -| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. | -| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| -| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.| -| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.| -| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.| -| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.| -|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.| -|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.| -|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.| -|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.| -|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.| -|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.| -|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.| -|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.| -|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.| -|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.| -|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.| -|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.| -|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.| -|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.| -|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.| -|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.| -|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.| -|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.| -|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.| -| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client| -| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.| -| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.| -| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| -| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| -| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | - -The following RIDs are relative to each domain. - -| RID |Decimal value| Identifies | -| - | - | - | -| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. | -| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.| -| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.| -| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.| -| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.| -| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.| -| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.| -| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.| - -The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups. - -| RID | Decimal value | Identifies | -| - | - | - | -| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.| -| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.| -| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.| -| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.| -| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.| -| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.| -| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.| - -## Changes in security identifier's functionality - -The following table describes changes in SID implementation in the Windows operating systems that are designated in the list. - -| Change | Operating system version | Description and resources | -| - | - | - | -| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. | -| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. | - -## Capability SIDs - -Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource. - -All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location. - -## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition - -You may see the following registry keys under AllCachedCapabilities: - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows - -All Capability SIDs are prefixed by S-1-15-3 - -## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition - -You may see the following registry keys under AllCachedCapabilities: - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows - -All Capability SIDs are prefixed by S-1-15-3 - -## See also - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md deleted file mode 100644 index d6bdc4569e..0000000000 --- a/windows/security/identity-protection/access-control/security-principals.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: Security Principals (Windows 10) -description: Security Principals -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -ms.reviewer: ---- - -# Security Principals - -**Applies to** -- Windows 10 -- Windows Server 2016 - -This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals. - -## What are security principals? - - -Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID). - -The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. - -## How security principals work - - -Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer. - -### Authorization and access control components - -The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor. - -**Authorization and access control process** - -![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif) - -Security principals are closely related to the following components and technologies: - -- [Security identifiers](#bkmk-sids) - -- [Access tokens](#bkmk-accesstokens) - -- [Security descriptors and access control lists](#bkmk-sdandacls) - -- [Permissions](#bkmk-permissions) - -### Security identifiers - -Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment. - -A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group. - -Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer. - -In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems. - -### Access tokens - -An access token is a protected object that contains information about the identity and user rights that are associated with a user account. - -When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups. - -After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization. - -There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread. - -### Security descriptors and access control lists - -A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs: - -- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access - -- A system access control list (SACL), which controls how access is audited - -You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined. - -### Permissions - -Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control. - -Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories. - -On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers. - -For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment). - -### Security context in authentication - -A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain. - -In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in. - -To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal. - -This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource. - -The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain. - -## Accounts and security groups - - -Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources. - -Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer. - -### User accounts - -A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to: - -- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain. - -- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource. - -- Audit the actions that are carried out on a user account. - -Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization. - -### Security groups - -A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization. - -Groups can be Active Directory-based or local to a particular computer: - -- Active Directory security groups are used to manage rights and permissions to domain resources. - -- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer. - -By using security groups to manage access control, you can: - -- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier. - -- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal. - -- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable. - -For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md). - -For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md). - -## See also - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md deleted file mode 100644 index 2614ab30e4..0000000000 --- a/windows/security/identity-protection/access-control/service-accounts.md +++ /dev/null @@ -1,116 +0,0 @@ ---- -title: Service Accounts (Windows 10) -description: Service Accounts -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 11/19/2021 ---- - -# Service Accounts - -**Applies to** -- Windows 10 -- Windows Server 2016 - -This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts. - -## Overview - -A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell. - -This topic contains information about the following types of service accounts: - -- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts) - -- [Group-managed service accounts](#bkmk-groupmanagedserviceaccounts) - -- [Virtual accounts](#bkmk-virtualserviceaccounts) - -### Standalone managed service accounts - -A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts. - -To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-managed service account. For more information, see [Group-Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)). - -In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: - -- You can create a class of domain accounts that can be used to manage and maintain services on local computers. - -- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset. - -- You do not have to complete complex SPN management tasks to use managed service accounts. -- You don't have to complete complex SPN management tasks to use managed service accounts. -- Administrative tasks for managed service accounts can be delegated to non-administrators. - -### Software requirements - -Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. - -### Group-managed service accounts - -Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators. - -The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password. - -The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account. - -### Practical applications - -Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system. - -By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting. - -Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts. - -### Software requirements - -Group-managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements. - -A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts. - -A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail. - -**Note**   -Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560670(v=ws.10)). - -Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012. - -### Virtual accounts - -Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration: - -- The virtual account is automatically managed. - -- The virtual account can access the network in a domain environment. - -- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>. - -Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$. - -For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)). - -### Software requirements - -Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. - -## See also - - -The following table provides links to other resources that are related to standalone managed service accounts, group-managed service accounts, and virtual accounts. - -| Content type | References | -|---------------|-------------| -| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
                        [Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) | -| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) | -| **Related technologies** | [Security Principals](security-principals.md)
                        [What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) | diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md deleted file mode 100644 index db7379ba1f..0000000000 --- a/windows/security/identity-protection/access-control/special-identities.md +++ /dev/null @@ -1,499 +0,0 @@ ---- -title: Special Identities (Windows 10) -description: Special Identities -ms.prod: m365-security -ms.technology: windows-sec -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 12/21/2021 -ms.reviewer: ---- - -# Special Identities - -**Applies to** -- Windows Server 2016 or later - -This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. - -Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can: - -- Assign user rights to security groups in Active Directory. - -- Assign permissions to security groups for the purpose of accessing resources. - -Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. - -Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource. - -For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md). - -The special identity groups are described in the following tables: - -- [Anonymous Logon](#anonymous-logon) - -- [Authenticated Users](#authenticated-users) - -- [Batch](#batch) - -- [Creator Group](#creator-group) - -- [Creator Owner](#creator-owner) - -- [Dialup](#dialup) - -- [Digest Authentication](#digest-authentication) - -- [Enterprise Domain Controllers](#enterprise-domain-controllers) - -- [Everyone](#everyone) - -- [Interactive](#interactive) - -- [Local Service](#local-service) - -- [LocalSystem](#localsystem) - -- [Network](#network) - -- [Network Service](#network-service) - -- [NTLM Authentication](#ntlm-authentication) - -- [Other Organization](#other-organization) - -- [Principal Self](#principal-self) - -- [Remote Interactive Logon](#remote-interactive-logon) - -- [Restricted](#restricted) - -- [SChannel Authentication](#schannel-authentication) - -- [Service](#service) - -- [Terminal Server User](#terminal-server-user) - -- [This Organization](#this-organization) - -- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group) - -## Anonymous Logon - - -Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-7 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Attested Key Property - - -A SID that means the key trust object had the attestation property. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-6 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Authenticated Users - - -Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-11 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
                        [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - -## Authentication Authority Asserted Identity - - -A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Batch - - -Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-3 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Console Logon - - -A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-2-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Creator Group - - -The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. - -A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Creator Owner - - -The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-0 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Dialup - - -Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Digest Authentication - - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-21 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Enterprise Domain Controllers - - -This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-9 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
                        [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - -## Everyone - - -All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. - -On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1). - -Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-1-0 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
                        [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - -## Fresh Public Key Identity - - -A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-3 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Interactive - - -Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None| - -## IUSR - - -Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-17 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Key Trust - - -A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Local Service - - -The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-19 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
                        [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
                        [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
                        [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
                        [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
                        [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
                        [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
                        | - -## LocalSystem - - -This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. - - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-18 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## MFA Key Property - - -A SID that means the key trust object had the multifactor authentication (MFA) property. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-5 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Network - -This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-2 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Network Service - - -The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-20 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
                        [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
                        [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
                        [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
                        [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
                        [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
                        | - -## NTLM Authentication - - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-10 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None| - -## Other Organization - - -This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-1000 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Owner Rights - - -A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Principal Self - - -This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-10 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Proxy - - -Identifies a SECURITY_NT_AUTHORITY Proxy. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-8 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Remote Interactive Logon - - -This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-14| -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Restricted - - -Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-12 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## SChannel Authentication - - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-14 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Service - - -Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system. - - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-6 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
                        [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
                        | - -## Service Asserted Identity - - -A SID that means the client's identity is asserted by a service. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-2 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Terminal Server User - - -Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-13 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## This Organization - - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-15 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Window Manager\\Window Manager Group - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-90 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
                        [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
                        | - -## See also - -- [Active Directory Security Groups](active-directory-security-groups.md) - -- [Security Principals](security-principals.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index c6922f3901..b1d3c58e26 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,21 +1,17 @@ --- title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. -ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 -ms.reviewer: -keywords: encrypt, digital signature ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- @@ -31,7 +27,7 @@ S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. -Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. +Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email. ## About digital signatures @@ -86,7 +82,7 @@ When you receive an encrypted message, the mail app will check whether there is ## Install certificates from a received message -When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person. +When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person. 1. Open a signed email. @@ -95,4 +91,4 @@ When you receive a signed email, the app provide feature to install correspondin 3. Tap **Install.** :::image type="content" alt-text="message security information." source="images/installcert.png"::: -  \ No newline at end of file +  diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 9ca5657e1d..ae0b3c7b76 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -2,18 +2,14 @@ title: Additional mitigations description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: --- # Additional mitigations @@ -22,7 +18,7 @@ Windows Defender Credential Guard can provide mitigation against attacks on deri ## Restricting domain users to specific domain-joined devices -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. ### Kerberos armoring @@ -36,7 +32,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, ### Protecting domain-joined device secrets -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: - Devices' accounts are in Windows Server 2012 domain functional level or higher. @@ -100,13 +96,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` -### Restricting user sign on +### Restricting user sign-on So we now have completed the following: - Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on - Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: - User accounts are in a Windows Server 2012 domain functional level or higher domain. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index f9dce14935..22f3e34740 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -2,51 +2,47 @@ title: Advice while using Windows Defender Credential Guard (Windows) description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/31/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Considerations when using Windows Defender Credential Guard -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. -Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. +Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported. ## Wi-fi and VPN Considerations -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. +When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. ## Kerberos Considerations When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead. ## 3rd Party Security Support Providers Considerations -Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN. +Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN. ## Upgrade Considerations As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. ### Saved Windows Credentials Protected -Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: -* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." +Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: +* Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." * Applications that extract Windows credentials fail. -* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials. +* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials. ## Clearing TPM Considerations Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost. @@ -61,17 +57,17 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a > Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. ### Windows credentials saved to Credential Manager -Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. +Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. ### Domain-joined device’s automatically provisioned public key Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). -Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). +Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). ### Breaking DPAPI on domain-joined devices -On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible. +On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. >[!IMPORTANT] > Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
                        @@ -79,19 +75,19 @@ Auto VPN configuration is protected with user DPAPI. User may not be able to use If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following. -Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller: +Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller: |Credential Type | Windows version | Behavior |---|---|---| -| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. | -| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. -| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected. +| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | +| Password | Windows 10 v1709 or later | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. +| Password | Windows 10 v1703 | If the user signed in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected. | Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data. Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. #### Impact of DPAPI failures on Windows Information Protection -When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed. +When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. **Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 0d09f98a43..b48fb5bbb3 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -2,36 +2,31 @@ title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # How Windows Defender Credential Guard works -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - - -Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. +When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. -When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. +When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 7d71cc00ce..e190e70c49 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -2,60 +2,64 @@ title: Windows Defender Credential Guard - Known issues (Windows) description: Windows Defender Credential Guard - Known issues in Windows Enterprise ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 01/26/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- +# Windows Defender Credential Guard: Known issues -# Windows Defender Credential Guard: Known issues +Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - -Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). +The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): -The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033): +- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: -- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
                        - "Task Scheduler failed to log on ‘\Test’.
                        - Failure occurred in ‘LogonUserExEx’.
                        - User Action: Ensure the credentials for the task are correctly specified.
                        - Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)." -- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: - > Log Name: Microsoft-Windows-NTLM/Operational - Source: Microsoft-Windows-Security-Netlogon - Event ID: 8004 - Task Category: Auditing NTLM - Level: Information - Description: - Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. - Secure Channel name: \ - User name: - @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA + ```console + Task Scheduler failed to log on '\Test'. + Failure occurred in 'LogonUserExEx'. + User Action: Ensure the credentials for the task are correctly specified. + Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). + ``` + +- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: + + ```console + Log Name: Microsoft-Windows-NTLM/Operational + Source: Microsoft-Windows-Security-Netlogon + Event ID: 8004 + Task Category: Auditing NTLM + Level: Information + Description: + Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. + Secure Channel name: + User name: + @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA Domain name: NULL - - - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. - - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute. - - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. + ``` + + - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. + - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. + - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217) +- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) - This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221) + This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: + - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) + - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) ## Known issues involving third-party applications @@ -63,61 +67,47 @@ The following issue affects MSCHAPv2: - [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). -The following issue affects the Java GSS API. See the following Oracle bug database article: +The following issue affects the Java GSS API. See the following Oracle bug database article: - [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) -When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). +When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). The following issue affects Cisco AnyConnect Secure Mobility Client: -- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \* - -*Registration required to access this article. +- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) The following issue affects McAfee Application and Change Control (MACC): -- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1] - -The following issue affects AppSense Environment Manager. - For more information, see the following Knowledge Base article: -- [Installing AppSense Environment Manager on Windows machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \** +- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1) The following issue affects Citrix applications: -- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1] -[1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article: +- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [Note 1](#bkmk_note1) -- [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage) - -For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes) - - - \** Registration is required to access this article. + +> [!NOTE] +> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). +> +> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). ## Vendor support -See the following article on Citrix support for Secure Boot: -- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) +For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) -Windows Defender Credential Guard isn't supported by either these products, products versions, computer systems, or Windows 10 versions: +Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions: -- For Windows Defender Credential Guard on Windows with McAfee Encryption products, see: - [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009) +- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009) -- For Windows Defender Credential Guard on Windows with Check Point Endpoint Security Client, see: - [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) +- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) -- For Windows Defender Credential Guard on Windows with VMWare Workstation - [Windows host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361) +- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361) -- For Windows Defender Credential Guard on Windows with specific versions of the Lenovo ThinkPad - [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039) +- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) -- For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection - [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) +- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) - This isn't a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. +This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. - Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. +Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index b63bf80703..1b61031be8 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -2,14 +2,11 @@ title: Manage Windows Defender Credential Guard (Windows) description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: v-tappelgate -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: - M365-identity-device-management - highpri @@ -17,17 +14,14 @@ ms.topic: article ms.custom: - CI 120967 - CSSTroubleshooting +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Manage Windows Defender Credential Guard - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 -- Windows Server 2022 - ## Enable Windows Defender Credential Guard Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. @@ -53,19 +47,21 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will To enforce processing of the group policy, you can run `gpupdate /force`. -### Enable Windows Defender Credential Guard by using Intune +### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager -1. From **Home**, select **Microsoft Intune**. +1. From **Microsoft Endpoint Manager admin center**, select **Devices**. -1. Select **Device configuration**. +1. Select **Configuration Profiles**. -1. Select **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. +1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**. - > [!NOTE] - > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. + 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings. + +> [!NOTE] +> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. > [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). +> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings). ### Enable Windows Defender Credential Guard by using the registry diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 170018c2c2..445168ffc1 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -2,28 +2,24 @@ title: Windows Defender Credential Guard protection limits & mitigations (Windows) description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Credential Guard protection limits and mitigations -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) in the Deep Dive into Windows Defender Credential Guard video series. @@ -127,13 +123,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` -#### Restricting user sign on +#### Restricting user sign-on So we now have completed the following: - Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on - Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: - User accounts are in a Windows Server 2012 domain functional level or higher domain. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md index 9cab64d757..ba9aa464db 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md @@ -2,44 +2,39 @@ title: Windows Defender Credential Guard protection limits (Windows) description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Windows Defender Credential Guard protection limits -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Some ways to store credentials are not protected by Windows Defender Credential Guard, including: - Software that manages credentials outside of Windows feature protection - Local accounts and Microsoft Accounts -- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. +- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. - Key loggers - Physical attacks -- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. - Third-party security packages - Digest and CredSSP credentials - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- -- Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. +- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- +- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. +- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. - Windows logon cached password verifiers (commonly called "cached credentials") -do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. +don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 4762a25d8b..e4d7f90a39 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -2,30 +2,26 @@ title: Windows Defender Credential Guard Requirements (Windows) description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.date: 12/27/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Credential Guard: Requirements -## Applies to - -- Windows 11 -- Windows 10 -- Windows Server 2019 -- Windows Server 2016 - For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). ## Hardware and software requirements diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 709bc9de64..d235f8a2dc 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -2,23 +2,18 @@ title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows) description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dulcemontemayor -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: --- # Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies - Here is a list of scripts mentioned in this topic. ## Get the available issuance policies on the certificate authority diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 4153f5223b..db31018523 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -1,33 +1,28 @@ --- title: Protect derived domain credentials with Windows Defender Credential Guard (Windows) description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 -ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.date: 03/10/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Protect derived domain credentials with Windows Defender Credential Guard -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - -Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. +Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By enabling Windows Defender Credential Guard, the following features and solutions are provided: @@ -43,3 +38,8 @@ By enabling Windows Defender Credential Guard, the following features and soluti - [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)) - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) +- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode) +- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel) +- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert) +- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert) +- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin) diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index a3c6d35840..603dcc1d9c 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -2,28 +2,23 @@ title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: SteveSyfuhs -ms.author: stsyfuhs -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 -- Windows Server 2022 - ```powershell # Script to find out if a machine is Device Guard compliant. # The script requires a driver verifier present on the system. diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index b41236db4a..facbb090b1 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -1,27 +1,22 @@ --- title: Enterprise Certificate Pinning -ms.mktglfcycl: manage -ms.sitesec: library description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name. -audience: ITPro -author: dulcemontemayor -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.prod: m365-security ms.technology: windows-sec -ms.pagetype: security ms.localizationpriority: medium ms.date: 07/27/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Enterprise Certificate Pinning -**Applies to** -- Windows 10 - Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name. Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. @@ -103,7 +98,7 @@ The **Certificate** element can have the following attributes. | **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
                        - single certificate
                        - p7b
                        - sst
                        These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). | | **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | | **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
                        - single certificate
                        - p7b
                        - sst
                        This allows the certificates to be included in the XML file without a file directory dependency.
                        Note:
                        You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). | -| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
                        If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
                        If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
                        For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
                        If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
                        If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
                        For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element @@ -111,7 +106,7 @@ The **Site** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| -| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
                        - If the DNS name has a leading "*", it's removed.
                        - Non-ASCII DNS name is converted to ASCII Puny Code.
                        - Upper case ASCII characters are converted to lower case.
                        If the normalized name has a leading ".", then, wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
                        - If the DNS name has a leading "*", it's removed.
                        - Non-ASCII DNS name is converted to ASCII Puny Code.
                        - Upper case ASCII characters are converted to lower case.
                        If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| | **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
                        For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md deleted file mode 100644 index 9b8365686e..0000000000 --- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: WebAuthn APIs -description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps. -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 02/15/2019 -ms.reviewer: ---- -# WebAuthn APIs for password-less authentication on Windows - -### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication. - -Microsoft has long been a proponent to do away with passwords. -While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs! -These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys -as a password-less authentication mechanism for their applications on Windows devices. - -#### What does this mean? - -This opens opportunities for developers or relying parties (RPs') to enable password-less authentication. -They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) -as a password-less multi-factor credential for authentication. -
                        -Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication - and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site! -

                        -The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later - and latest versions of other browsers. -

                        -Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users. - Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE - without having to deal with the interaction and management overhead. -This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging. - -#### Where can developers learn more? - -The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index bb8984236d..50dac1c934 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,28 +1,21 @@ --- title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 03/20/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Multi-factor Unlock -**Applies to:** - -- Windows 10 -- Windows 11 - **Requirements:** * Windows Hello for Business deployment (Cloud, Hybrid or On-premises) * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 0ea88cb07e..1c3acf11f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,20 +1,18 @@ --- title: Azure Active Directory join cloud only deployment description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. -keywords: identity, Hello, Active Directory, cloud, ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 06/23/2021 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Azure Active Directory join cloud only deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index cbaecf9da3..edba592b4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,30 +1,24 @@ --- title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 or later +- ✅ Hybrid or On-Premises deployment +- ✅ Key trust --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -**Applies to** - -- Windows 10, version 1703 or later, or Windows 11 -- Windows Server, versions 2016 or later -- Hybrid or On-Premises deployment -- Key trust - > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). @@ -95,7 +89,7 @@ Using the same methods described above, monitor the Kerberos authentication afte ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` -Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. +Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index ce4fee62d1..0b82e155e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,28 +1,21 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello and password changes -**Applies to** - -- Windows 10 -- Windows 11 - When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. ## Example diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index fb5244ee95..ebbea60361 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,31 +1,24 @@ --- title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: Windows Hello, enterprise biometrics ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 01/12/2021 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello biometrics in the enterprise -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. >[!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index c9023f3eab..da1d9d6154 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,30 +1,23 @@ --- title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 01/14/2021 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 18e5489911..36186166cf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,31 +1,25 @@ --- title: Configure Windows Hello for Business Policy settings - certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 08/20/2018 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Configure Windows Hello for Business Policy settings - Certificate Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. @@ -60,7 +54,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 3. Right-click **Group Policy object** and select **New**. 4. Type *Enable Windows Hello for Business* in the name box and click **OK**. 5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. +6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. 9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. @@ -70,7 +64,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. +4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. 6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 53a69d9ca8..9d4ca3a2f5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -1,31 +1,27 @@ --- title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Validate Active Directory prerequisites for cert-trust deployment -**Applies to** +The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. +> [!NOTE] +> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow. Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index baa09b6712..5ec79ae891 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,30 +1,23 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Validate and Deploy Multi-Factor Authentication feature -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 1972c3d210..578db1bd4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -1,31 +1,23 @@ --- title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - - Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index ca84dfc5d4..21b67500a6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,30 +1,23 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment description: A guide to on premises, certificate trust Windows Hello for Business deployment. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # On Premises Certificate Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 1a167b69c6..0f2c45e2f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,15 +1,11 @@ --- title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 0b7c8c940f..43ff73fc92 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,21 +1,16 @@ --- title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues -keywords: identity, PIN, biometric, Hello, passport params: siblings_only ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/03/2021 -ms.reviewer: --- # Windows Hello for Business Known Deployment Issues diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 0798dee5a2..faab624132 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,30 +1,23 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to on premises, key trust Windows Hello for Business deployment. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # On Premises Key Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 2ce62675f6..d0cc1cad93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,31 +1,24 @@ --- title: Deploying Certificates to Key Trust Users to Enable RDP description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/22/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Deploying Certificates to Key Trust Users to Enable RDP -**Applies To** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 194607bd44..d995550c13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,31 +1,24 @@ --- title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. -ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 -keywords: PIN, error, create a work PIN ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: troubleshooting ms.localizationpriority: medium ms.date: 05/05/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello errors during PIN creation -**Applies to** - -- Windows 10 -- Windows 11 - When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. ## Where is the error code? @@ -76,6 +69,8 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| + ## Errors with unknown mitigation diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index c5e10be931..8fa58bce19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,30 +1,22 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -ms.reviewer: -keywords: ngc ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Event ID 300 - Windows Hello successfully created -**Applies to** - -- Windows 10 -- Windows 11 - This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 12d4f1203e..bc542d1967 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -8,20 +8,22 @@ metadata: ms.sitesec: library ms.pagetype: security, mobile audience: ITPro - author: GitPrakhar13 - ms.author: prsriva - manager: dansimp + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: faq localizationpriority: medium ms.date: 02/21/2022 + appliesto: + - ✅ Windows 10 + - ✅ Windows 11 title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | - Applies to: Windows 10 - sections: - name: Ignored @@ -31,6 +33,7 @@ sections: answer: | Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). + - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. @@ -42,6 +45,7 @@ sections: - question: Can I use Windows Hello for Business key trust and RDP? answer: | Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. + - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | @@ -57,13 +61,12 @@ sections: - question: How can a PIN be more secure than a password? answer: | - The Windows Hello for Business PIN isn't a symmetric key, whereas a password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. - - The statement "PIN is stronger than Password" isn't directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multi-factor Unlock](feature-multifactor-unlock.md) feature. + When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. + The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - question: How does Windows Hello for Business work with Azure AD registered devices? answer: | - A user will be prompted to set-up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures. + A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures. If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. @@ -79,9 +82,9 @@ sections: answer: | It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - question: Can I use an external Windows Hello compatible camera when my computer has a built in Windows Hello compatible camera? + - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? answer: | - Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? answer: | @@ -101,14 +104,10 @@ sections: answer: | The user experience for Windows Hello for Business occurs after the user signs in, after you deploy Windows Hello for Business policy settings to your environment. - [Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) - - question: What happens when a user forgets their PIN? answer: | If the user can sign in with a password, they can reset their PIN by selecting the "I forgot my PIN" link in Settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by selecting the "I forgot my PIN" link on the PIN credential provider. - [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) - For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - question: What URLs do I need to allow for a hybrid deployment? @@ -127,9 +126,9 @@ sections: - question: What's the difference between non-destructive and destructive PIN reset? answer: | - Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). + Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). - Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. + Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | Which is better or more secure, key trust or certificate trust? @@ -153,7 +152,31 @@ sections: - question: Is Windows Hello for Business multi-factor authentication? answer: | Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". - + + - question: Where is Windows Hello biometrics data stored? + answer: | + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + + - question: What is the format used to store Windows Hello biometrics data on the device? + answer: | + Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. + + - question: Who has access on Windows Hello biometrics data? + answer: | + Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it. + + - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? + answer: | + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. + + - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? + answer: | + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). + + - question: What about any diagnostic data coming out when WHFB is enabled? + answer: | + To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + - question: What are the biometric requirements for Windows Hello for Business? answer: | Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. @@ -210,7 +233,7 @@ sections: answer: | Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business don't require a TPM. Administrators can choose to allow key operations in software. - Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register). + Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against various known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to reauthenticate to the IDP before the IDP allows them to re-register). - question: Can Windows Hello for Business work in air-gapped environments? answer: | @@ -227,9 +250,9 @@ sections: | Protocol | Description | | :---: | :--- | | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | - | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | + | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. | | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | - | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | + | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define other claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define more provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | @@ -238,4 +261,4 @@ sections: - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | - No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD. + No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index ac9768add5..2acbb4823a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,20 +1,15 @@ --- title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/09/2019 -ms.reviewer: --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 066da6e651..489d5513cf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -1,20 +1,15 @@ --- title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment, ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/09/2019 -ms.reviewer: --- # Dual Enrollment diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 7025fb4173..4fbe94952d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,30 +1,27 @@ --- title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 09/09/2019 -ms.reviewer: +ms.date: 07/12/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Dynamic lock -**Requirements:** - -* Windows 10, version 1703 or later - Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. +> [!IMPORTANT] +> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it. + You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 4158e8838a..435fe6109b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,66 +1,68 @@ --- title: Pin Reset -description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. -keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset +description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium -ms.date: 5/3/2021 +ms.date: 07/29/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # PIN reset -**Applies to:** +Windows Hello for Business provides the capability for users to reset forgotten PINs using the *I forgot my PIN* link from the Sign-in options page in *Settings* or from the Windows lock screen. Users are required to authenticate and complete multi-factor authentication to reset their PIN. -- Windows 10, version 1709 or later -- Windows 11 +There are two forms of PIN reset: -Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN. +- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. +- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature. +## Using PIN reset -There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and does not require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. -## Using PIN Reset +There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. **Requirements** -- Reset from settings - Windows 10, version 1703 -- Reset above Lock - Windows 10, version 1709 +- Reset from settings - Windows 10, version 1703 or later, Windows 11 +- Reset above Lock - Windows 10, version 1709 or later, Windows 11 + +Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. -Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider. >[!IMPORTANT] >For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. ### Reset PIN from Settings -1. Sign-in to Windows 10, version 1703 or later using an alternate credential. -2. Open **Settings**, click **Accounts**, click **Sign-in options**. -3. Under **PIN**, click **I forgot my PIN** and follow the instructions. +1. Sign-in to Windows 10 using an alternate credential. +1. Open **Settings**, select **Accounts** > **Sign-in options**. +1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions. + ### Reset PIN above the Lock Screen For Azure AD-joined devices: 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Click **I forgot my PIN** from the PIN credential provider. -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e., Password, PIN, Security key). +1. Select **I forgot my PIN** from the PIN credential provider. +1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key). 1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. + For Hybrid Azure AD-joined devices: 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Click **I forgot my PIN** from the PIN credential provider. +1. Select **I forgot my PIN** from the PIN credential provider. 1. Enter your password and press enter. 1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. @@ -68,86 +70,129 @@ For Hybrid Azure AD-joined devices: > [!NOTE] > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. -You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). - -Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](./hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience). +You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). ## Non-Destructive PIN reset **Requirements:** - Azure Active Directory +- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. - Hybrid Windows Hello for Business deployment - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined -- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903. -When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. -Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. +When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. + +Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment. >[!IMPORTANT] -> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer. +> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11. > The Microsoft PIN Reset service is not currently available in Azure Government. +### Summary + +|Category|Destructive PIN Reset|Non-Destructive PIN Reset| +|--- |--- |--- | +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| +|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| +|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| +|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| +|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| +|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| + ### Onboarding the Microsoft PIN reset service to your Intune tenant -Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage. +> The **Microsoft PIN Reset Service** is not currently available in Azure Government. -### Connect Azure Active Directory with the PIN reset service -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. +### Enable the Microsoft PIN Reset Service in your Azure AD tenant -1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. +Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant: +- PIN Reset Service +- PIN Reset Client + +#### Connect Azure Active Directory with the PIN Reset Service + +1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) -1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. - -1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. +#### Connect Azure Active Directory with the PIN Reset Client +1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) - > [!NOTE] - > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. +#### Confirm that the two PIN Reset service principals are registered in your tenant -1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. +1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com). +1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**. +1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list. + :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png"::: - :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: +### Enable PIN Recovery on your devices -### Configure Windows devices to use PIN reset using Group Policy +Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP). -You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. +#### [✅ **Intune**](#tab/intune) + +You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Select **Devices** > **Configuration profiles** > **Create profile**. +1. Enter the following properties: + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Settings catalog**. +1. Select **Create**. +1. In **Basics**, enter the following properties: + - **Name**: Enter a descriptive name for the profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. +1. Select **Next**. +1. In **Configuration settings**, select **Add settings**. +1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**. +1. Configure **Enable Pin Recovery** to **true**. +1. Select **Next**. +1. In **Scope tags**, assign any applicable tags (optional). +1. Select **Next**. +1. In **Assignments**, select the security groups that will receive the policy. +1. Select **Next**. +1. In **Review + create**, review your settings and select **Create**. + +>[!NOTE] +> You can also configure PIN recovery from the **Endpoint security** blade: +> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +> 1. Select **Endpoint security** > **Account protection** > **Create Policy**. + +#### [✅ **GPO**](#tab/gpo) + +You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO). 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. 1. Edit the Group Policy object from Step 1. 1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. -1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +1. Close the Group Policy Management Editor to save the Group Policy object. -#### Create a PIN Reset Device configuration profile using Microsoft Intune +#### [✅ **CSP**](#tab/csp) -1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. -1. Click **Endpoint Security** > **Account Protection** > **Properties**. -1. Set **Enable PIN recovery** to **Yes**. +You can configure Windows devices to use the **Microsoft PIN Reset Service** using the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). -> [!NOTE] -> You can also set up PIN recovery using configuration profiles. -> -> 1. Sign in to Endpoint Manager. -> 1. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. -> 1. Set **Enable PIN recovery** to **Yes**. +- OMA-URI: `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery` +- Data type: **Boolean** +- Value: **True** -#### Assign the PIN Reset Device configuration profile using Microsoft Intune +>[!NOTE] +> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. -1. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. -1. In the device configuration profile, select **Assignments**. -1. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. +--- -### Confirm that PIN recovery policy is enforced on the client +#### Confirm that PIN Recovery policy is enforced on the devices -The PIN reset configuration for a user can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then non-destructive PIN reset is enabled. +The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then non-destructive PIN reset is enabled. -#### Sample User state Output for Destructive PIN Reset +**Sample User state Output for Destructive PIN Reset** ```console +----------------------------------------------------------------------+ @@ -166,7 +211,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta +----------------------------------------------------------------------+ ``` -#### Sample User state Output for Non-Destructive PIN Reset +**Sample User state Output for Non-Destructive PIN Reset** ```console +----------------------------------------------------------------------+ @@ -189,39 +234,34 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta **Applies to:** -- Windows 10, version 1803 or later -- Windows 11 -- Azure AD joined +- Azure AD joined devices -The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. +The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. -### Configuring Policy Using Intune +### Configure Web Sign-in Allowed URLs using Microsoft Intune -1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. - -1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**. - -1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create. - -1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next. - -1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings - - - **Name:** Web Sign In Allowed URLs - - **Description:** (Optional) List of domains that are allowed during PIN reset flows. - - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls - - **Data type:** String - - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) - - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: - -1. Click the Save button to save the custom configuration. - -1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button. - -1. On the Applicability rules page, click Next. - -1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) +1. Select **Devices** > **Configuration profiles** > **Create profile** +1. Enter the following properties: + - **Platform**: Select **Windows 10 and later** + - **Profile type**: Select **Templates** + - In the list of templates that is loaded, select **Custom** > **Create** +1. In **Basics**, enter the following properties: + - **Name**: Enter a descriptive name for the profile + - **Description**: Enter a description for the profile. This setting is optional, but recommended +1. Select **Next** +1. In **Configuration settings**, select **Add** and enter the following settings: + - Name: **Web Sign In Allowed URLs** + - Description: **(Optional) List of domains that are allowed during PIN reset flows** + - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` + - Data type: **String** + - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** + :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png"::: +1. Select **Save** > **Next** +1. In **Assignments**, select the security groups that will receive the policy +1. Select **Next** +1. In **Applicability Rules**, select **Next** +1. In **Review + create**, review your settings and select **Create** > [!NOTE] > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index fc797a8b6e..9073c4ef60 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,20 +1,15 @@ --- title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/24/2021 -ms.reviewer: --- # Remote Desktop @@ -23,10 +18,10 @@ ms.reviewer: - Windows 10 - Windows 11 -- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments +- Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices -Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release. @@ -34,7 +29,7 @@ Microsoft continues to investigate supporting using keys trust for supplied cred **Requirements** -- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments +- Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices - Biometric enrollments - Windows 10, version 1809 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 443d3adc15..909df0b77b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -2,26 +2,20 @@ title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business and Authentication -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources. Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 96b5a3b434..7d93ef16b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -2,26 +2,20 @@ title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 2/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business Provisioning -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: - How the device is joined to Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index a7e607516e..ff24499d85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -1,289 +1,348 @@ --- -title: How Windows Hello for Business works - Technology and Terms +title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 10/08/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- -# Technology and Terms -**Applies to:** +# Technology and terms -- Windows 10 -- Windows 11 +## Attestation identity keys -- [Attestation Identity Keys](#attestation-identity-keys) -- [Azure AD Joined](#azure-ad-joined) -- [Azure AD Registered](#azure-ad-registered) -- [Certificate Trust](#certificate-trust) -- [Cloud Deployment](#cloud-deployment) -- [Cloud Experience Host](#cloud-experience-host) -- [Deployment Type](#deployment-type) -- [Endorsement Key](#endorsement-key) -- [Federated Environment](#federated-environment) -- [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) -- [Hybrid Deployment](#hybrid-deployment) -- [Join Type](#join-type) -- [Key Trust](#key-trust) -- [Managed Environment](#managed-environment) -- [On-premises Deployment](#on-premises-deployment) -- [Pass-through Authentication](#pass-through-authentication) -- [Password Hash Synchronization](#password-hash-sync) -- [Primary Refresh Token](#primary-refresh-token) -- [Storage Root Key](#storage-root-key) -- [Trust Type](#trust-type) -- [Trusted Platform Module](#trusted-platform-module) -

                        - -## Attestation Identity Keys -Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. +Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. > [!NOTE] > The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device. +Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device. -Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. +Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. -In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. +In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate. -### Related topics -[Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) +### Related to attestation identity keys -### More information -- [Windows Client Certificate Enrollment Protocol: Glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab) -- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) +- [Endorsement key](#endorsement-key) +- [Storage root key](#storage-root-key) +- [Trusted platform module](#trusted-platform-module) +### More information about attestation identity keys -[Return to Top](hello-how-it-works-technology.md) -## Azure AD Joined -Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources. -### Related topics -[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) +- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab) +- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -### More information -- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction). +## Azure Active Directory join -[Return to Top](hello-how-it-works-technology.md) -## Azure AD Registered -The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device. -### Related topics -[Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type) +Azure Active Directory (Azure AD) join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Azure AD join. Azure AD join also works in a hybrid environment and can enable access to on-premises applications and resources. -### More information -- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction) +### Related to Azure AD join +- [Join type](#join-type) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) -[Return to Top](hello-how-it-works-technology.md) -## Certificate Trust -The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers. +### More information about Azure AD join -### Related topics -[Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) +[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview). -### More information -- [Windows Hello for Business Planning Guide](hello-planning-guide.md) +## Azure AD registration -[Return to Top](hello-how-it-works-technology.md) -## Cloud Deployment -The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types. +The goal of Azure AD-registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Azure AD-controlled resources using a personal device. -### Related topics -[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type) +### Related to Azure AD registration -[Return to Top](hello-how-it-works-technology.md) -## Cloud Experience Host -In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. +- [Azure AD join](#azure-active-directory-join) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) +- [Join type](#join-type) -### Related topics -[Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md) +### More information about Azure AD registration -### More information -- [Windows Hello for Business and Device Registration](./hello-how-it-works-device-registration.md) +[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview). -[Return to Top](hello-how-it-works-technology.md) +## Certificate trust + +The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers. + +### Related to certificate trust + +- [Deployment type](#deployment-type) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) +- [Hybrid deployment](#hybrid-deployment) +- [Key trust](#key-trust) +- [On-premises deployment](#on-premises-deployment) +- [Trust type](#trust-type) + +### More information about certificate trust + +[Windows Hello for Business planning guide](hello-planning-guide.md) + +## Cloud deployment + +The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD-joined or Azure AD-registered devices. + +### Related to cloud deployment + +- [Azure AD join](#azure-active-directory-join) +- [Azure AD registration](#azure-ad-registration) +- [Deployment type](#deployment-type) +- [Join type](#join-type) + +## Cloud experience host + +In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. + +### Related to cloud experience host + +- [Windows Hello for Business](./hello-identity-verification.md) +- [Managed Windows Hello in organization](./hello-manage-in-organization.md) + +### More information on cloud experience host + +[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md) + +## Deployment type + +Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: -## Deployment Type -Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: - Cloud - Hybrid -- On-Premises +- On-premises -### Related topics -[Cloud Deployment](#cloud-deployment), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment) +### Related to deployment type -### More information -- [Windows Hello for Business Planning Guide](hello-planning-guide.md) +- [Cloud deployment](#cloud-deployment) +- [Hybrid deployment](#hybrid-deployment) +- [On-premises deployment](#on-premises-deployment) -[Return to Top](hello-how-it-works-technology.md) -## Endorsement Key +### More information about deployment type + +[Windows Hello for Business planning guide](hello-planning-guide.md) + +## Endorsement key The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). -The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. +The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. The endorsement key acts as an identity card for the TPM. The endorsement key is often accompanied by one or two digital certificates: -- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. -- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. +- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. + +- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11. -### Related topics -[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) +### Related to endorsement key -### More information -- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)). -- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) +- [Attestation identity keys](#attestation-identity-keys) +- [Storage root key](#storage-root-key) +- [Trusted platform module](#trusted-platform-module) -[Return to Top](hello-how-it-works-technology.md) -## Federated Environment -Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. +### More information about endorsement key -### Related topics -[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync) +- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)) +- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -### More information -- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) +## Federated environment + +Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. + +### Related to federated environment + +- [Hybrid deployment](#hybrid-deployment) +- [Managed environment](#managed-environment) +- [Pass-through authentication](#pass-through-authentication) +- [Password hash sync](#password-hash-sync) + +### More information about federated environment + +[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) + +## Hybrid Azure AD join -[Return to Top](hello-how-it-works-technology.md) -## Hybrid Azure AD Joined For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: + - IT departments to manage work-owned devices from a central location. -- Users to sign in to their devices with their Active Directory work or school accounts. -Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them. +- Users to sign in to their devices with their Active Directory work or school accounts. -If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD-joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. +Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them. -### Related topics -[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment) +If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure AD, you can implement hybrid Azure AD-joined devices. These devices are joined to both your on-premises Active Directory and your Azure AD. -### More information -- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction) +### Related to hybrid Azure AD join -[Return to Top](hello-how-it-works-technology.md) -## Hybrid Deployment -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory. Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. +- [Azure AD join](#azure-active-directory-join) +- [Azure AD registration](#azure-ad-registration) +- [Hybrid deployment](#hybrid-deployment) -### Related topics -[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), +### More information about hybrid Azure AD join -### More information -- [Windows Hello for Business Planning Guide](hello-planning-guide.md) +[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview) + +## Hybrid deployment + +The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. + +### Related to hybrid deployment + +- [Azure AD join](#azure-active-directory-join) +- [Azure AD registration](#azure-ad-registration) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) + +### More information about hybrid deployment + +[Windows Hello for Business planning guide](hello-planning-guide.md) -[Return to Top](hello-how-it-works-technology.md) ## Join type -Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined. + +Join type is how devices are associated with Azure AD. For a device to authenticate to Azure AD it must be registered or joined. Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. -When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune . +When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune. -Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. +Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. -### Related topics -[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) +### Related to join type -### More information -- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction) +- [Azure AD join](#azure-active-directory-join) +- [Azure AD registration](#azure-ad-registration) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) -[Return to Top](hello-how-it-works-technology.md) -## Key Trust -The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. +### More information about join type -### Related topics -[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) +[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview) -### More information -- [Windows Hello for Business Planning Guide](hello-planning-guide.md) +## Key trust -[Return to Top](hello-how-it-works-technology.md) -## Managed Environment -Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. +The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. -### Related topics -[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync) +### Related to key trust -[Return to Top](#technology-and-terms) -## On-premises Deployment -The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. +- [Certificate trust](#certificate-trust) +- [Deployment type](#deployment-type) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) +- [Hybrid deployment](#hybrid-deployment) +- [On-premises deployment](#on-premises-deployment) +- [Trust type](#trust-type) -### Related topics -[Cloud Deployment](#cloud-deployment), [Deployment Type](#deployment-type), [Hybrid Deployment](#hybrid-deployment) +### More information about key trust -### More information -- [Windows Hello for Business Planning Guide](hello-planning-guide.md) +[Windows Hello for Business planning guide](hello-planning-guide.md) + +## Managed environment + +Managed environments are for non-federated environments where Azure AD manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS). + +### Related to managed environment + +- [Federated environment](#federated-environment) +- [Pass-through authentication](#pass-through-authentication) +- [Password hash synchronization](#password-hash-sync) + +## On-premises deployment + +The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. + +### Related to on-premises deployment + +- [Cloud deployment](#cloud-deployment) +- [Deployment type](#deployment-type) +- [Hybrid deployment](#hybrid-deployment) + +### More information about on-premises deployment + +[Windows Hello for Business planning guide](hello-planning-guide.md) -[Return to Top](hello-how-it-works-technology.md) ## Pass-through authentication -Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. -### Related topics -[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync) +Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +### Related to pass-through authentication -### More information -- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn) +- [Federated environment](#federated-environment) +- [Managed environment](#managed-environment) +- [Password hash synchronization](#password-hash-sync) -[Return to Top](hello-how-it-works-technology.md) -## Password Hash Sync -The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +### More information about pass-through authentication -### Related topics -[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication) +[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) -### More information -- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn) +## Password hash sync -[Return to Top](hello-how-it-works-technology.md) -## Primary Refresh Token -SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device. +Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. -The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD-joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). +### Related to password hash sync -The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. +- [Federated environment](#federated-environment) +- [Managed environment](#managed-environment) +- [Pass-through authentication](#pass-through-authentication) -[Return to Top](#technology-and-terms) -## Storage Root Key -The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. +### More information about password hash sync -### Related topics -[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Trusted Platform Module](#trusted-platform-module) +[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) -### More information -[TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) +## Primary refresh token + +Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device. + +The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Azure AD joined and hybrid Azure AD-joined devices. For personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com. + +The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied. + +## Storage root key + +The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken. + +### Related to storage root key + +- [Attestation identity keys](#attestation-identity-keys) +- [Endorsement key](#endorsement-key) +- [Trusted platform module](#trusted-platform-module) + +### More information about storage root key + +[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](hello-how-it-works-technology.md) ## Trust type -The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type does not affect authentication to Azure Active Directory. Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment). -### Related topics -[Certificate Trust](#certificate-trust), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment) +The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Azure AD. Windows Hello for Business authentication to Azure AD always uses the key, not a certificate (excluding smart card authentication in a federated environment). -### More information -- [Windows Hello for Business Planning Guide](hello-planning-guide.md) +### Related to trust type -[Return to Top](hello-how-it-works-technology.md) -## Trusted Platform Module +- [Certificate trust](#certificate-trust) +- [Hybrid deployment](#hybrid-deployment) +- [Key trust](#key-trust) +- [On-premises deployment](#on-premises-deployment) -A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
                        +### More information about trust type -Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. +[Windows Hello for Business planning guide](hello-planning-guide.md) + +## Trusted platform module + +A trusted platform module (TPM) is a hardware component that provides unique security features. + +Windows uses security characteristics of a TPM for the following functions: + +- Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives +- Protecting credentials +- Health attestation + +A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other: -A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. @@ -294,27 +353,29 @@ Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: - Update cryptography strength to meet modern security needs - - Support for SHA-256 for PCRs - - Support for HMAC command + - Support for SHA-256 for PCRs + - Support for HMAC command - Cryptographic algorithms flexibility to support government needs - - TPM 1.2 is severely restricted in terms of what algorithms it can support - - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents + - TPM 1.2 is severely restricted in terms of what algorithms it can support + - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents - Consistency across implementations - - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details - - TPM 2.0 standardizes much of this behavior + - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details + - TPM 2.0 standardizes much of this behavior -In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component: -- A RSA 2048-bit key generator +In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component: + +- An RSA 2048-bit key generator - A random number generator - Nonvolatile memory for storing EK, SRK, and AIK keys - A cryptographic engine to encrypt, decrypt, and sign - Volatile memory for storing the PCRs and RSA keys +### Related to trusted platform module -### Related topics -[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key) +- [Attestation identity keys](#attestation-identity-keys) +- [Endorsement key](#endorsement-key) +- [Storage root key](#storage-root-key) -### More information -- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) +### More information about trusted platform module -[Return to Top](hello-how-it-works-technology.md) \ No newline at end of file +[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 23efa578c0..cb5b134268 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -2,26 +2,20 @@ title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/05/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How Windows Hello for Business works in Windows Devices -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 2029789901..c936ab0e6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -1,32 +1,25 @@ --- title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. -keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 01/14/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Azure Active Directory-join +- ✅ Hybrid Deployment +- ✅ Key trust --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business - -**Applies to** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid Deployment -- Key trust model - ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 807592de85..875fe62728 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,32 +1,25 @@ --- title: Using Certificates for AADJ On-premises Single-sign On single sign-on description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. -keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Azure AD-join +- ✅ Hybrid Deployment +- ✅ Certificate trust --- # Using Certificates for AADJ On-premises Single-sign On -**Applies to:** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid Deployment -- Certificate trust - If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] @@ -98,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent. -4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. +4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. > [!NOTE] > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. @@ -293,11 +286,13 @@ Sign-in to the issuing certificate authority or management workstations with _Do 7. On the **Security** tab, click **Add**. -8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. +8. Select **Object Types**, then, in the window that appears, choose **Computers** and click **OK**. -9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +9. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. -10. Click on the **Apply** to save changes and close the console. +10. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + +11. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template @@ -339,7 +334,7 @@ The certificate authority may only issue certificates for certificate templates > [!Important] > Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that certificate templates to that issuing certificate authority. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority. -Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. +Sign in to the certificate authority or management workstations with an _enterprise admin_ -equivalent credential. 1. Open the **Certificate Authority** management console. @@ -814,143 +809,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -### Download Intune Certificate Connector - -Sign-in a workstation with access equivalent to a _domain user_. - -1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). - -2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. - -3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - - ![Intune Certificate Authority.](images/aadjcert/profile01.png) - -4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. - -5. Sign-out of the Microsoft Endpoint Manager admin center. - -### Install the Intune Certificate Connector - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. - -2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. - -3. On the **Microsoft Intune** page, click **Next**. - - ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) - -4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. - -5. On the **Destination Folder** page, click **Next**. - -6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. - - ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) - -7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. - - ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) - - > [!NOTE] - > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. - -8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. - -9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. - - ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) - - > [!NOTE] - > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. - -10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. - - ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) - -### Configure the Intune Certificate Connector - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. The **NDES Connector** user interface should be open from the last task. - - > [!NOTE] - > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. - -2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** - - ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) - -3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. - - ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) - - > [!IMPORTANT] - > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. - -4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. - +To learn how to download, install, and configure the Intune Certificate Connector, see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install). ### Configure the NDES Connector for certificate revocation (**Optional**) -Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). +Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. -#### Enabling the NDES Service account for revocation +1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. -Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. +2. Start the **Certification Authority** management console. -1. Start the **Certification Authority** management console. +3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. - -3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. +4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) -4. Close the **Certification Authority** - -#### Enable the NDES Connector for certificate revocation - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). - -2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. - - ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) - -3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. - -### Test the NDES Connector - -Sign-in the NDES server with access equivalent to _domain admin_. - -1. Open a command prompt. - -2. Type the following command to confirm the NDES Connector's last connection time is current. - - ```console - reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus - ``` - -3. Close the command prompt. - -4. Open **Internet Explorer**. - -5. In the navigation bar, type: - - ```console - https://[fqdnHostName]/certsrv/mscep/mscep.dll - ``` - - where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. - A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. - - ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) - -6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. +5. Close the **Certification Authority**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -974,7 +849,7 @@ Sign-in a workstation with access equivalent to a _domain user_. ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) -8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. +8. Click **Members**. Use the **Select members** pane to add members to this group. When finished, click **Select**. 9. Click **Create**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 6d2ac37a80..0842bb52e6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,30 +1,21 @@ --- title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. -keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Azure AD Join Single Sign-on Deployment -**Applies to** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid deployment - Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 6de21388aa..1dbae77cc3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,30 +1,23 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. -keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index c45b19aa4d..b35fa21dac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -1,30 +1,23 @@ --- title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 6432ef517b..b6d189d7c1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,30 +1,23 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index bec180c498..72086e9d13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,30 +1,23 @@ --- title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/08/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Certificate Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index f3d6ed1281..6721675b09 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,30 +1,23 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 94462ebe1d..230a694361 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,30 +1,23 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, ad ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 93dcb39b92..03989ad22c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,30 +1,23 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 7ef3176f22..7e29ef7f6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,31 +1,24 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate Trust - ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index e6408a1ce4..e604fc736f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,31 +1,24 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid Deployment -- Certificate Trust - Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index a7bc32dc4c..2708e9a22c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,29 +1,23 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index dcffcfc154..c0ba9ce415 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,30 +1,23 @@ --- title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index f8d135a315..8765cbc8c3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -1,29 +1,22 @@ --- title: Hybrid Cloud Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 2/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 21H2 and later +- ✅ Windows 11 --- # Hybrid Cloud Trust Deployment (Preview) -Applies to - -- Windows 10, version 21H2 -- Windows 11 and later - -Windows Hello for Business replaces username and password Windows sign in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. ## Introduction to Cloud Trust @@ -48,6 +41,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). +If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. + ## Prerequisites | Requirement | Notes | @@ -258,3 +253,7 @@ Windows Hello for Business cloud trust requires line of sight to a domain contro ### Can I use RDP/VDI with Windows Hello for Business cloud trust? Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. + +### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust? + +No, only the number necessary to handle the load from all cloud trust devices. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 4f8c8153c4..98599d9132 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,31 +1,23 @@ --- title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. -keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - - Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 90cbd52d95..49cd5d3b42 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,31 +1,23 @@ --- title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/04/2022 -ms.reviewer: prsriva - +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 705b84df66..d3e68887fd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -1,30 +1,23 @@ --- title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 90aaa2b968..b732396e36 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,30 +1,22 @@ --- title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: @@ -40,7 +32,7 @@ The distributed systems on which these technologies were built involved several Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. @@ -95,7 +87,7 @@ The minimum required Enterprise certificate authority that can be used with Wind The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. -Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect. +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index db6d3e0a33..7a7e3f3eed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -1,30 +1,23 @@ --- title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Key Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index c7dd159a00..4b009fe228 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,30 +1,22 @@ --- title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning - -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 46ba983c83..49124b1ddf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,29 +1,23 @@ --- title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) -keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index b964f460e9..1092173f9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,30 +1,23 @@ --- title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization -keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 418298f89e..8a9e8ee322 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,32 +1,24 @@ --- title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) -keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 04/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- - # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid Deployment -- Key trust - -Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. +Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. @@ -84,11 +76,11 @@ The certificate template is configured to supersede all the certificate template > [!NOTE] > The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ->you can view +>To see all certificates in the NTAuth store, use the following command: > ->'''powershell ->Certutil -view ->Publish Certificate Templates to a Certificate Authority +> `Certutil -viewstore -enterprise NTAuth` + +### Publish Certificate Templates to a Certificate Authority The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. @@ -100,7 +92,7 @@ Sign-in to the certificate authority or management workstations with an _enterpr 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. 5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 6. If you published the **Domain Controller Authentication (Kerberos)** certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + - To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. 7. Close the console. ### Unpublish Superseded Certificate Templates diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index d98732f5c2..4522c3b93d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,30 +1,23 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy -keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 38b7194d9c..ea0439b451 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,30 +1,23 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. > [!IMPORTANT] @@ -41,10 +34,6 @@ For the most efficient deployment, configure these technologies in order beginni > [!div class="step-by-step"] > [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) -

                        - -
                        - ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4135615f1c..7a9e8e62b1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,16 +1,11 @@ --- title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index d608421337..8761b3eaf6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,30 +1,23 @@ --- title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index b67d63f1b7..b954e4d073 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -1,31 +1,23 @@ --- title: Configure Windows Hello for Business Policy settings - key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Configure Windows Hello for Business Policy settings - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - - You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 2ba08c716b..64195a8b82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,30 +1,23 @@ --- title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: GitPrakhar13 -audience: ITPro -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Validate Active Directory prerequisites - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index e0d299b2df..81e0df5016 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,33 +1,26 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with key trust description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Validate and Deploy Multifactor Authentication (MFA) > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index debf3022c5..d12ad32ade 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -1,31 +1,23 @@ --- title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- - # Validate and Configure Public Key Infrastructure - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 4b44e661ec..7127970af5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,31 +1,24 @@ --- title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 -keywords: identity, PIN, biometric, Hello ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 2/15/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Manage Windows Hello for Business in your organization -**Applies to** - -- Windows 10 -- Windows 11 - You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] @@ -81,7 +74,7 @@ The following table lists the MDM policy settings that you can configure for Win |UsePassportForWork|Device or user|True|

                        True: Windows Hello for Business will be provisioned for all users on the device.

                        False: Users will not be able to provision Windows Hello for Business.

                        **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices
                        | |RequireSecurityDevice|Device or user|False|

                        True: Windows Hello for Business will only be provisioned using TPM.

                        False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.| |ExcludeSecurityDevice

                        TPM12|Device|False|Added in Windows 10, version 1703

                        True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

                        False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.| -|EnablePinRecovery|Device or use|False|

                        Added in Windows 10, version 1703

                        True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

                        False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| +|EnablePinRecovery|Device or use|False|

                        Added in Windows 10, version 1703

                        True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

                        False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| ### Biometrics @@ -99,7 +92,7 @@ The following table lists the MDM policy settings that you can configure for Win |Special characters|Device or user|2|

                        0: Special characters are allowed.

                        1: At least one special character is required.

                        2: Special characters are not allowed.| |Uppercase letters|Device or user|2|

                        0: Uppercase letters are allowed.

                        1: At least one uppercase letter is required.

                        2: Uppercase letters are not allowed.| |Maximum PIN length |Device or user|127 |

                        Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.| -|Minimum PIN length|Device or user|4|

                        Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.| +|Minimum PIN length|Device or user|6|

                        Minimum length that can be set is 6. Minimum length cannot be greater than maximum setting.| |Expiration |Device or user|0|

                        Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.| |History|Device or user|0|

                        Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.| @@ -120,7 +113,7 @@ Policies for Windows Hello for Business are enforced using the following hierarc Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source. -All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. +All PIN complexity policies are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. >[!NOTE] > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 86a2a82c99..6a355853aa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,30 +1,22 @@ --- title: Windows Hello for Business Overview (Windows) -ms.reviewer: An overview of Windows Hello for Business description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: conceptual localizationpriority: medium +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Windows Hello for Business Overview -**Applies to** - -- Windows 10 -- Windows 11 - In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] @@ -42,37 +34,37 @@ Windows Hello lets users authenticate to: - A Microsoft account. - An Active Directory account. - A Microsoft Azure Active Directory (Azure AD) account. -- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. +- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication. After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. -As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization. +As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization. ## Biometric sign-in Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials. - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. -- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11. +- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards. Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). ## The difference between Windows Hello and Windows Hello for Business -- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication. +- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication. -- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**. +- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**. ## Benefits of Windows Hello Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed. -You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials. +You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they're entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials. -In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows to access resources and services. +In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services. ->[!NOTE] ->Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password. +> [!NOTE] +> Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password. :::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png"::: @@ -84,15 +76,15 @@ Windows Hello helps protect user identities and user credentials. Because the us - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. -- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step. +- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Azure AD, or a Microsoft account. - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy. -- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. +- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. -- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. +- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. @@ -102,25 +94,21 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md). ## Comparing key-based and certificate-based authentication -Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 21H2, there is a feature called cloud trust for hybrid deployments which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but does not require certificates on the domain controller. +Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. -Windows Hello for Business with a key, including cloud trust, does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). ## Learn more -[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business) +[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/insidetrack/implementing-strong-user-authentication-with-windows-hello-for-business) -[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft) +[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/insidetrack/implementing-windows-hello-for-business-at-microsoft) -[Introduction to Windows Hello](/learn/?l=eH7yoY2BC_9106218949), video presentation on Microsoft Virtual Academy +[Windows Hello for Business: Authentication](https://youtu.be/WPmzoP_vMek): In this video, learn about Windows Hello for Business and how it's used to sign-in and access resources. [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication) -[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890) - -[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891) - -## Related topics +## Related articles - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 7436890316..c1dc768999 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,29 +1,23 @@ --- title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -keywords: identity, PIN, biometric, Hello, passport ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: conceptual ms.date: 09/16/2020 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Planning a Windows Hello for Business Deployment -**Applies to** - -- Windows 10 -- Windows 11 - Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 8ab37765f1..89efd738ea 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,30 +1,21 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B -ms.reviewer: -keywords: identity, PIN, biometric, Hello ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Prepare people to use Windows Hello -**Applies to** - -- Windows 10 -- Windows 11 - When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 013f236742..cf437e3bee 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,28 +1,20 @@ --- title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: +ms.date: 07/26/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business Videos - -**Applies to** - -- Windows 10 -- Windows 11 - ## Overview of Windows Hello for Business and Features Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock @@ -51,22 +43,4 @@ Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business pr Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. -> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] - -## Windows Hello for Business user enrollment experience - -The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. - -> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM] - -
                        - -> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso] - -## Windows Hello for Business forgotten PIN user experience - -If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. - -> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI] - -For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. +> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 6c4c54aee9..887d2893eb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,31 +1,23 @@ --- title: Why a PIN is better than an online password (Windows) description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password . -ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 -keywords: pin, security, password, hello ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 10/23/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Why a PIN is better than an online password -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png new file mode 100644 index 0000000000..df2fc5634a Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png index 5b1df9448e..35eee9bc5e 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications-expanded.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications-expanded.png new file mode 100644 index 0000000000..b3db1cd442 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications-expanded.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png index 3001e771d8..e276132f9e 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png deleted file mode 100644 index fce622e7f7..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png index 9e5e339b30..2bfb558bbf 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png deleted file mode 100644 index 7415de9616..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png deleted file mode 100644 index 970e9f8109..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png deleted file mode 100644 index 9903a59bf5..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png index e4a92204ee..39f21df392 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png new file mode 100644 index 0000000000..49639cefcf Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png new file mode 100644 index 0000000000..97ca13f648 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png differ diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 62c038bd6b..bdd841ab2c 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -8,9 +8,10 @@ metadata: description: Learn how to manage and deploy Windows Hello for Business. ms.prod: m365-security ms.topic: landing-page - author: GitPrakhar13 - manager: dansimp - ms.author: prsriva + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: prsriva ms.date: 01/22/2021 ms.collection: - M365-identity-device-management diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index 556f49c888..2d0f9aed02 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -1,20 +1,15 @@ --- title: Microsoft-compatible security key description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. -keywords: FIDO2, security key, CTAP, Hello, WHFB ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 11/14/2018 -ms.reviewer: --- # What is a Microsoft-compatible security key? diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8ca6538d48..be9b81f965 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -2,14 +2,17 @@ title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: conceptual localizationpriority: medium ms.date: 05/24/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Password-less strategy @@ -251,7 +254,7 @@ You can use Group Policy to deploy an administrative template policy setting to :::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'."::: -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`. +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`. :::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'."::: diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index 99df1a799a..3818cf29e6 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -1,20 +1,15 @@ --- title: Reset-security-key description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key -keywords: FIDO2, security key, CTAP, Microsoft-compatible security key ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 11/14/2018 -ms.reviewer: --- # How to reset a Microsoft-compatible security key? > [!Warning] diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index a3f4153369..aaca362314 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -2,24 +2,18 @@ title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mapalko ms.localizationpriority: high -ms.author: mapalko +author: paolomatarazzo +ms.author: paoloma ms.date: 10/16/2017 -ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How Windows Hello for Business works in Windows devices -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. ## Register a new user or device @@ -61,14 +55,14 @@ Containers can contain several types of key material: - An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. - Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. -- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: +- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. ## How keys are protected -Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. +Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. @@ -77,7 +71,7 @@ Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protect When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. -These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. +These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication anytime a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. For example, the authentication process for Azure Active Directory works like this: diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 1e3bd031b3..6e71a47657 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -21,6 +21,8 @@ href: hello-how-it-works-provisioning.md - name: Authentication href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md - name: How-to Guides items: - name: Windows Hello for Business Deployment Overview diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md new file mode 100644 index 0000000000..8926ad4417 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -0,0 +1,122 @@ +--- +title: WebAuthn APIs +description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. +ms.prod: m365-security +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 08/30/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +--- +# WebAuthn APIs for passwordless authentication on Windows + +Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users. + +Microsoft has long been a proponent of passwordless authentication, and introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). + +## What does this mean? + +By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) to implement passwordless multi-factor authentication for their applications on Windows devices. + +Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use. + +Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead. + +> [!NOTE] +> When these APIs are in use, Windows 10 browsers or apps don't have direct access to the FIDO2 transports for FIDO-related messaging. + +## The big picture + +Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). + +The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally. + +After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made. + +The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs. + +:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview.png" alt-text="The diagram shows how the WebAuthn API interacts with the relying parties and the CTAPI2 API."::: + +*Relationships of the components that participate in passwordless authentication* + +A combined WebAuthn/CTAP2 dance includes the following cast of characters: + +- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices. + +- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices. + + - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls. + + - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser. + + > [!NOTE] + > The preceding diagram doesn't depict single sign-on authentication. Be careful not to confuse FIDO relying parties with federated relying parties. + +- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request that the authenticator create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. + +- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions of the preceding diagram may differ. + +- **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators. + +- **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols. + +Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile app. + +## Interoperability + +Before there was WebAuthn and CTAP2, there was U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. + +FIDO2 authenticators have already implemented and WebAuthn relying parties might require the following optional features: + +- Keys for multiple accounts (keys can be stored per relying party) +- Client PIN +- Location (the authenticator returns a location) +- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios) + +The following options and might be useful in the future, but haven't been observed in the wild yet: + +- Transactional approval +- User verification index (servers can determine whether biometric data that's stored locally has changed over time) +- User verification method (the authenticator returns the exact method) +- Biometric performance bounds (the relying party can specify acceptable false acceptance and false rejection rates) + +## Microsoft implementation + +The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet. + +Here's an approximate layout of where the Microsoft bits go: + +:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API."::: + +*Microsoft's implementation of WebAuthn and CATP2 APIs* + +- **WebAuthn relying party: Microsoft Account**. If you aren't familiar with Microsoft Account, it's the sign-in service for Xbox, Outlook, and many other sites. The sign-in experience uses client-side JavaScript to trigger Microsoft Edge to talk to the WebAuthn APIs. Microsoft Account requires that authenticators have the following characteristics: + + - Keys are stored locally on the authenticator and not on a remote server + - Offline scenarios work (enabled by using HMAC) + - Users can put keys for multiple user accounts on the same authenticator + - If it's necessary, authenticators can use a client PIN to unlock a TPM + > [!IMPORTANT] + > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials. + +- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. + + > [!NOTE] + > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication). + +- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs. + +- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. That's because there's already a strong ecosystem of products that specialize in strong authentication, and every one of our customers (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. To see the ever-growing list of FIDO2 certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. + +## Developer references + +The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications: + +- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec. +- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index 7883dbd5b9..ee523e79f7 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -2,22 +2,21 @@ title: Identity and access management (Windows 10) description: Learn more about identity and access protection technologies in Windows. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 02/05/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Identity and access management -Learn more about identity and access management technologies in Windows 10. +Learn more about identity and access management technologies in Windows 10 and Windows 11. | Section | Description | |-|-| diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md index 88d73b87aa..a48a887b72 100644 --- a/windows/security/identity-protection/password-support-policy.md +++ b/windows/security/identity-protection/password-support-policy.md @@ -1,25 +1,21 @@ --- title: Technical support policy for lost or forgotten passwords description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. -ms.reviewer: kaushika -manager: kaushika ms.custom: - CI ID 110060 - CSSTroubleshoot -ms.author: v-tappelgate ms.prod: m365-security -ms.sitesec: library -ms.pagetype: security -author: Teresa-Motiv ms.topic: article ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.date: 11/20/2019 -audience: ITPro --- # Technical support policy for lost or forgotten passwords -Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password. +Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password. If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password. @@ -31,7 +27,7 @@ If you lose or forget the password for a domain account, contact your IT adminis If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard. -This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action. +This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action. ## How to reset a password for a local account on a Windows device @@ -51,8 +47,8 @@ If you lose or forget the password for the hardware BIOS of a device, contact th ## How to reset a password for an individual file -Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords. +Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords. ## Using third-party password tools -Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk. +Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk. diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index e919cee245..4d160b97b2 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,26 +2,21 @@ title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 01/12/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Protect Remote Desktop credentials with Windows Defender Remote Credential Guard -**Applies to** -- Windows 10 -- Windows Server 2016 - Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 99de6899d4..613d27bf02 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -2,24 +2,23 @@ title: Smart Card and Remote Desktop Services (Windows) description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Smart Card and Remote Desktop Services -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process. @@ -64,7 +63,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services ### Remote Desktop Services and smart card sign-in -Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password. +Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password. In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 3ce6180ae9..3fa8e4255e 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -2,24 +2,24 @@ title: Smart Card Architecture (Windows) description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Architecture -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter. @@ -122,7 +122,7 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card. -To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it require multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times. +To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times. The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index 1ad9d49a24..ef2c516483 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -2,24 +2,24 @@ title: Certificate Propagation Service (Windows) description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 08/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate Propagation Service -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index eea206d53d..df7c9505b6 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -2,24 +2,24 @@ title: Certificate Requirements and Enumeration (Windows) description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate Requirements and Enumeration -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. When a smart card is inserted, the following steps are performed. diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index f557a5a713..7f0143c568 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -2,25 +2,26 @@ title: Smart Card Troubleshooting (Windows) description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Troubleshooting -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 0d7a79fdac..a750b165ca 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -2,55 +2,47 @@ title: Smart Card Events (Windows) description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Events -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization. -- [Smart card reader name](#smart-card-reader-name) - -- [Smart card warning events](#smart-card-warning-events) - -- [Smart card error events](#smart-card-error-events) - -- [Smart card Plug and Play events](#smart-card-plug-and-play-events) - +- [Smart card reader name](#smart-card-reader-name) +- [Smart card warning events](#smart-card-warning-events) +- [Smart card error events](#smart-card-error-events) +- [Smart card Plug and Play events](#smart-card-plug-and-play-events) ## Smart card reader name -The Smart Card resource manager does not use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. +The Smart Card resource manager doesn't use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. The following three attributes are used to construct the smart card reader name: -- Vendor name - -- Interface device type - -- Device unit +- Vendor name +- Interface device type +- Device unit The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information: -- Vendor name: Contoso - -- Interface device type: Smart Card Reader - -- Device unit: 0 +- Vendor name: Contoso +- Interface device type: Smart Card Reader +- Device unit: 0 ## Smart card warning events @@ -58,8 +50,8 @@ The smart card reader device name is constructed in the form <*VendorName*> | **Event ID** | **Warning Message** | **Description** | |--------------|---------|--------------------------------------------------------------------------------------------| -| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.

                        %1 = Windows error code
                        %2 = Smart card reader name
                        %3 = IOCTL being canceled
                        %4 = First 4 bytes of the command that was sent to the smart card | -| 619 | Smart Card Reader '%2' has not responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader has not responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader does not respond for 150 seconds. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.

                        %1 = Number of seconds the IOCTL has been waiting
                        %2 = Smart card reader name
                        %3 = IOCTL sent
                        %4 = First 4 bytes of the command that was sent to the smart card | +| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

                        %1 = Windows error code
                        %2 = Smart card reader name
                        %3 = IOCTL being canceled
                        %4 = First 4 bytes of the command that was sent to the smart card | +| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

                        %1 = Number of seconds the IOCTL has been waiting
                        %2 = Smart card reader name
                        %3 = IOCTL sent
                        %4 = First 4 bytes of the command that was sent to the smart card | ## Smart card error events @@ -71,7 +63,7 @@ The smart card reader device name is constructed in the form <*VendorName*> | 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
                        %1 = Name of the smart card reader that is duplicated | | 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | | 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. | -| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. | +| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. | | 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | | 504 | Resource Manager cannot create shutdown event flag:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                        %1 = Windows error code | | 506 | Smart Card Resource Manager failed to register service:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                        %1 = Windows error code | @@ -99,10 +91,10 @@ The smart card reader device name is constructed in the form <*VendorName*> | 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                        %1 = Windows error code | | 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
                        %1 = Windows error code
                        %2 = Name of the smart card reader
                        %3 = IOCTL that was sent
                        %4 = First 4 bytes of the command sent to the smart card
                        These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.| | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | -| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                        %1 = Windows error code | -| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                        %1 = Windows error code | -| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                        %1 = Windows error code
                        %2 = Reader name | -| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                        %1 = Smart card reader name | +| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                        %1 = Windows error code | +| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                        %1 = Windows error code | +| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                        %1 = Windows error code
                        %2 = Reader name | +| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                        %1 = Smart card reader name | | 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | | 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                        %1 = Windows error code
                        These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. | | 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                        %1 = Windows error code | diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index a74dfed7b2..2b1c30addd 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -2,24 +2,24 @@ title: Smart Card Group Policy and Registry Settings (Windows) description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 11/02/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Group Policy and Registry Settings -Applies to: Windows 10, Windows 11, Windows Server 2016 and above - This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers. @@ -93,7 +93,7 @@ The following table lists the default values for these GPO settings. Variations ### Allow certificates with no extended key usage certificate attribute -You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in. +You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign-in. > [!NOTE] > Enhanced key usage certificate attribute is also known as extended key usage. @@ -149,9 +149,9 @@ When this setting isn't turned on, the feature is not available. ### Allow signature keys valid for Logon -You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign in. +You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in. -When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. +When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen. @@ -164,7 +164,7 @@ When this setting isn't turned on, certificates available on the smart card with ### Allow time invalid certificates -You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in. +You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign-in. > [!NOTE] > Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer. @@ -182,7 +182,7 @@ When this policy setting isn't turned on, certificates that are expired or not y ### Allow user name hint -You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user. +You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user. When this policy setting is turned on, users see an optional field where they can enter their username or username and domain. @@ -195,7 +195,7 @@ When this policy setting isn't turned on, users don't see this optional field. | Policy management | Restart requirement: None
                        Sign off requirement: None
                        Policy conflicts: None | | Notes and resources | | -### Configure root certificate clean up +### Configure root certificate clean-up You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. @@ -255,17 +255,17 @@ This policy setting is applied to the computer after the [Allow time invalid cer ### Force the reading of all certificates from the smart card -You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card. +You can use this policy setting to manage how Windows reads all certificates from the smart card for sign-in. During sign-in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card. -When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set. +When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set. -When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in. +When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in. | **Item** | **Description** | |--------------------------------------|----------------------------------------------------------------------------| | Registry key | **ForceReadingAllCertificates** | | Default values | No changes per operating system versions
                        Disabled and not configured are equivalent | -| Policy management | Restart requirement: None
                        Sign off requirement: None
                        Policy conflicts: None

                        **Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. | +| Policy management | Restart requirement: None
                        Sign off requirement: None
                        Policy conflicts: None

                        **Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. | | Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. | ### Notify user of successful smart card driver installation @@ -303,12 +303,12 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs. ### Reverse the subject name stored in a certificate when displaying -You can use this policy setting to control the way the subject name appears during sign in. +You can use this policy setting to control the way the subject name appears during sign-in. > [!NOTE] > To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization. -When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate. +When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate. When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index d6656c1427..4019c75ad2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -2,25 +2,26 @@ title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # How Smart Card Sign-in Works in Windows -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use: - [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them. diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 77c8c9d18b..79ce85481a 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -2,24 +2,24 @@ title: Smart Card Removal Policy Service (Windows) description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Removal Policy Service -Applies To: Windows 10, Windows 11, Windows Server 2016 - This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). @@ -30,7 +30,7 @@ The smart card removal policy service is applicable when a user has signed in wi The numbers in the previous figure represent the following actions: -1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign in was initiated. +1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated. 2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred. diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index 0d26cf1289..4acfbe37c2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -2,24 +2,24 @@ title: Smart Cards for Windows Service (Windows) description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Cards for Windows Service -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://pcscworkgroup.com/). diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 935f57edf3..faab6d1c50 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -2,24 +2,24 @@ title: Smart Card Tools and Settings (Windows) description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Tools and Settings -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. This section of the Smart Card Technical Reference contains information about the following: diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 377f4811d2..7899c14e50 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -2,24 +2,24 @@ title: Smart Card Technical Reference (Windows) description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Technical Reference -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise. ## Audience diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index bbc7256c6d..42aca41a0a 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -1,31 +1,27 @@ --- title: How User Account Control works (Windows) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. -ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59 -ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: operate -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/23/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # How User Account Control works -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ## UAC process and interactions diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 98cfc580cb..e54d14dafe 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -2,29 +2,25 @@ title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # User Account Control Group Policy and registry key settings - -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 3d91177ca0..e9b562bbe0 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,31 +1,27 @@ --- title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. -ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 -ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: operate -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.date: 09/24/2011 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # User Account Control -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 4b29de5fe4..cacda816c0 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,32 +1,27 @@ --- title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. -ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 -ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # User Account Control security policy settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - - You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. ## User Account Control: Admin Approval Mode for the Built-in Administrator account diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 7b01e6dec2..763ba1f346 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -2,18 +2,16 @@ title: Deploy Virtual Smart Cards (Windows 10) description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Deploy Virtual Smart Cards diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 852c4af6d4..703582c5a0 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -2,24 +2,20 @@ title: Evaluate Virtual Smart Card Security (Windows 10) description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Evaluate Virtual Smart Card Security -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. ## Virtual smart card non-exportability details diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index 799487b7f9..92cdfe8cdc 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -2,24 +2,20 @@ title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10) description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Get Started with Virtual Smart Cards: Walkthrough Guide -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index cfdee83c74..7d92df7bd0 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -2,24 +2,20 @@ title: Virtual Smart Card Overview (Windows 10) description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: conceptual ms.localizationpriority: medium ms.date: 10/13/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Virtual Smart Card Overview -Applies To: Windows 10, Windows Server 2016 - This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards. **Did you mean…** diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 48cbc570a2..37b59cb998 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -2,24 +2,20 @@ title: Tpmvscmgr (Windows 10) description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Tpmvscmgr -Applies To: Windows 10, Windows Server 2016 - The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples). ## Syntax diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index f64d08cdbe..077d990d63 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -2,24 +2,20 @@ title: Understanding and Evaluating Virtual Smart Cards (Windows 10) description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Understanding and Evaluating Virtual Smart Cards -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards. Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index da45445e1a..6cb4ac6fc7 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -2,24 +2,20 @@ title: Use Virtual Smart Cards (Windows 10) description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 10/13/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Use Virtual Smart Cards -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them. ## Requirements, restrictions, and limitations diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 9e47da731c..0e77c5aca8 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -2,15 +2,15 @@ title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11) description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp +manager: aaroncz +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index a3e52561e5..58e9851817 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -2,14 +2,14 @@ title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: dansimp +author: paolomatarazzo ms.date: 03/22/2022 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 70d6af4858..3434542f7b 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -2,23 +2,19 @@ title: VPN authentication options (Windows 10 and Windows 11) description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN authentication options -**Applies to** -- Windows 10 -- Windows 11 - In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic). Windows supports a number of EAP authentication methods. diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 441d05936f..2cef6b0692 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -2,23 +2,19 @@ title: VPN auto-triggered profile options (Windows 10 and Windows 11) description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN auto-triggered profile options -**Applies to** -- Windows 10 -- Windows 11 - In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: - App trigger diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index ec2a6bed29..e33c303053 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -2,25 +2,23 @@ title: VPN and conditional access (Windows 10 and Windows 11) description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp -ms.author: dansimp -manager: dansimp -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: pesmith +manager: aaroncz ms.localizationpriority: medium ms.date: 09/23/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN and conditional access ->Applies to: Windows 10 and Windows 11 - The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. >[!NOTE] ->Conditional Access is an Azure AD Premium feature. +>Conditional Access is an Azure AD Premium feature. Conditional Access Platform components used for Device Compliance include the following cloud-based services: diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 75cbde62de..96e77511ad 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -2,23 +2,19 @@ title: VPN connection types (Windows 10 and Windows 11) description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 08/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN connection types -**Applies to** -- Windows 10 -- Windows 11 - Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network. There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 58f9b162de..c235596b5c 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -2,24 +2,19 @@ title: Windows VPN technical guide (Windows 10 and Windows 11) description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 02/21/2022 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows VPN technical guide - -**Applies to** - -- Windows 10 -- Windows 11 - This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11. To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10). diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index a07cf8e0c7..d91442912d 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -2,23 +2,19 @@ title: VPN name resolution (Windows 10 and Windows 11) description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN name resolution -**Applies to** -- Windows 10 -- Windows 11 - When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server. The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces. diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index a0a8aecf5e..c54c8c05a4 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -2,19 +2,17 @@ title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client description: tbd ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -audience: ITPro ms.topic: article -author: kelleyvice-msft ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: jajo +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index cca873649e..c6a1f32a1b 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -1,26 +1,20 @@ --- title: VPN profile options (Windows 10 and Windows 11) description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. -ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523 -ms.reviewer: -manager: dansimp +manager: aaroncz ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: pesmith ms.localizationpriority: medium ms.date: 05/17/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN profile options -**Applies to** - -- Windows 10 -- Windows 11 - Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). >[!NOTE] diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index 3ba700ab9e..2fdcf08d5b 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -2,23 +2,18 @@ title: VPN routing decisions (Windows 10 and Windows 10) description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # VPN routing decisions -**Applies to** -- Windows 10 -- Windows 11 - Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. ## Split tunnel configuration diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 31f424f860..31e2845099 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,24 +1,25 @@ --- -title: VPN security features (Windows 10 and Windows 11) +title: VPN security features description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, networking -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium -ms.date: 09/03/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +ms.date: 07/21/2022 +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN security features -**Applies to** -- Windows 10 -- Windows 11 +## Hyper-V based containers and VPN +Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues. + +For example, for more information on a workaround for Cisco AnyConnect VPN, see [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f). ## Windows Information Protection (WIP) integration with VPN @@ -88,4 +89,4 @@ Deploy this feature with caution, as the resultant connection will not be able t - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 0465f35ec4..ced8857c84 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -1,27 +1,21 @@ --- title: Windows Credential Theft Mitigation Guide Abstract description: Provides a summary of the Windows credential theft mitigation guide. -ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a -ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Credential Theft Mitigation Guide Abstract -**Applies to** -- Windows 10 - This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md index 2048d9f516..24aaa25d9f 100644 --- a/windows/security/includes/improve-request-performance.md +++ b/windows/security/includes/improve-request-performance.md @@ -1,19 +1,14 @@ --- title: Improve request performance description: Improve request performance -keywords: server, request, performance search.product: eADQiWindows 10XVcnh ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas ms.localizationpriority: medium -manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: article +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz --- >[!TIP] diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md index 5d784c2abe..31e3d1ac98 100644 --- a/windows/security/includes/machineactionsnote.md +++ b/windows/security/includes/machineactionsnote.md @@ -3,9 +3,9 @@ title: Perform a Machine Action via the Microsoft Defender for Endpoint API description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API. ms.date: 08/28/2017 ms.reviewer: -manager: dansimp -ms.author: macapara -author: mjcaparas +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.prod: m365-security --- diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md index 536dab4a74..74cfd90cbb 100644 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ b/windows/security/includes/microsoft-defender-api-usgov.md @@ -1,17 +1,12 @@ --- title: Microsoft Defender for Endpoint API URIs for US Government description: Microsoft Defender for Endpoint API URIs for US Government -keywords: defender, endpoint, api, government, gov search.product: eADQiWindows 10XVcnh ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.localizationpriority: medium -manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md index f3a6cb666b..2bca659e04 100644 --- a/windows/security/includes/microsoft-defender.md +++ b/windows/security/includes/microsoft-defender.md @@ -4,8 +4,9 @@ description: A note in regard to important Microsoft 365 Defender guidance. ms.date: ms.reviewer: manager: dansimp -ms.author: dansimp -author: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.prod: m365-security ms.topic: include --- diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md index bced58da9f..58b056c484 100644 --- a/windows/security/includes/prerelease.md +++ b/windows/security/includes/prerelease.md @@ -3,9 +3,9 @@ title: Microsoft Defender for Endpoint Pre-release Disclaimer description: Disclaimer for pre-release version of Microsoft Defender for Endpoint. ms.date: 08/28/2017 ms.reviewer: -manager: dansimp -ms.author: macapara -author: mjcaparas +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.prod: m365-security --- diff --git a/windows/security/index.yml b/windows/security/index.yml index 5e7b974b0d..c8868f61f1 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -16,7 +16,7 @@ metadata: ms.author: dansimp #Required; microsoft alias of author; optional team alias. ms.date: 09/20/2021 localization_priority: Priority - + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: @@ -133,13 +133,13 @@ landingContent: - linkListType: concept links: - text: Mobile device management - url: https://docs.microsoft.com/windows/client-management/mdm/ + url: /windows/client-management/mdm/ - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account url: identity-protection/access-control/microsoft-accounts.md - text: OneDrive - url: https://docs.microsoft.com/onedrive/onedrive + url: /onedrive/onedrive - text: Family safety url: threat-protection/windows-defender-security-center/wdsc-family-options.md # Cards and links should be based on top customer tasks or top subjects @@ -156,7 +156,7 @@ landingContent: - text: Microsoft Security Development Lifecycle url: threat-protection/msft-security-dev-lifecycle.md - text: Microsoft Bug Bounty - url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program.md + url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program - text: Common Criteria Certifications url: threat-protection/windows-platform-common-criteria.md - text: Federal Information Processing Standard (FIPS) 140 Validation @@ -170,4 +170,3 @@ landingContent: links: - text: Windows and Privacy Compliance url: /windows/privacy/windows-10-and-privacy-compliance - diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index fea16b36fc..6c6d9669a2 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -1,17 +1,12 @@ --- title: BCD settings and BitLocker (Windows 10) description: This topic for IT professionals describes the BCD settings that are used by BitLocker. -ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/28/2019 diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 6bb70b5515..f5a1fecb16 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -1,17 +1,12 @@ --- title: BitLocker basic deployment description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. -ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 619291134f..4f129193e8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -1,17 +1,12 @@ --- title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. -ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index df216aa4e3..68c9d667d6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -2,14 +2,10 @@ title: BitLocker deployment comparison (Windows 10) description: This article shows the BitLocker deployment comparison chart. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: lovina-saldanha ms.author: v-lsaldanha manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/20/2021 diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 359a620b10..e1d313bfbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -2,14 +2,10 @@ title: Overview of BitLocker Device Encryption in Windows description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 442bafb9c2..7f02986150 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -1,17 +1,12 @@ --- title: BitLocker Group Policy settings (Windows 10) description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. -ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index f743aedb8a..c8b01291fb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -1,17 +1,12 @@ --- title: BitLocker How to deploy on Windows Server 2012 and later description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later -ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/28/2019 diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index da9fd23653..efdb32240c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -1,17 +1,12 @@ --- title: BitLocker - How to enable Network Unlock (Windows 10) description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it. -ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 1b234aad34..faf5dfd19a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -2,14 +2,10 @@ title: BitLocker Management Recommendations for Enterprises (Windows 10) description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 41c1be27f1..92b67559cf 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -1,16 +1,11 @@ --- title: BitLocker description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 88a6971b32..7c87a7eecd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,17 +1,12 @@ --- title: BitLocker recovery guide (Windows 10) description: This article for IT professionals describes how to recover BitLocker keys from AD DS. -ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri @@ -502,7 +497,7 @@ You can reset the recovery password in two ways: > [!NOTE] > To manage a remote computer, you can specify the remote computer name rather than the local computer name. -You can use the following sample script to create a VBScript file to reset the recovery passwords: +You can use the following sample VBScript to reset the recovery passwords: ```vb ' Target drive letter diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index f33bdd77ff..15738e7ad1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -1,17 +1,12 @@ --- title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) description: This article for the IT professional describes how to use tools to manage BitLocker. -ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 53a8a654a2..dd79eb176a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -1,17 +1,12 @@ --- title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. -ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index ba7ecc2d18..4cda103d80 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -1,17 +1,12 @@ --- title: Prepare your organization for BitLocker Planning and policies (Windows 10) description: This topic for the IT professional explains how can you plan your BitLocker deployment. -ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d176a4f457..1d51dfda83 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -1,17 +1,12 @@ --- title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) description: This article for IT pros describes how to protect CSVs and SANs with BitLocker. -ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/28/2019 diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index 89bcd638f5..7242269177 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -4,12 +4,10 @@ description: Describes approaches for investigating BitLocker issues, including ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.date: 10/17/2019 diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index 5da7725f1d..ef0e081dee 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -4,12 +4,10 @@ description: Provides guidance for troubleshooting known issues that may prevent ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.date: 10/17/2019 diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index 2609cccafb..cff0ac038d 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -4,12 +4,10 @@ description: Provides guidance for troubleshooting known issues that may prevent ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.date: 10/18/2019 diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 6898a72c8c..0cd7aa0c07 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -4,12 +4,10 @@ description: Describes common issues that involve your BitLocker configuration a ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.date: 10/17/2019 diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 101da7a83b..c36cc4ab98 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -4,12 +4,10 @@ description: Provides instructions for installing and using a tool for analyzing ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.date: 10/17/2019 diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index a15efdcb28..abea61f37e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -4,12 +4,10 @@ description: provides assistance for issues that you may see if you use Microsof ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: - Windows Security Technologies\BitLocker - highpri diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index df10782087..d10158fc36 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n ms.technology: windows-sec ms.prod: m365-security ms.localizationpriority: medium -author: Teresa-Motiv +author: v-tappelgate ms.author: v-tappelgate manager: kaushika ms.reviewer: kaushika diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index cd0ae7ec94..163cc0e029 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -4,12 +4,10 @@ description: Describes common issues that can occur that prevent BitLocker from ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: - Windows Security Technologies\BitLocker - highpri diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md index fe62dc41cc..6a0c6cf979 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md @@ -4,12 +4,10 @@ description: Describes common issues that relate directly to the TPM, and provid ms.reviewer: kaushika ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.date: 10/18/2019 diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index 7fe79ded9f..6cf2060ecb 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -1,14 +1,10 @@ --- title: Encrypted Hard Drive (Windows) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dulcemontemayor ms.date: 04/02/2019 --- diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 1d0b0ea803..4460e09f34 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -91,8 +91,11 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows. - >[!NOTE] - > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). + > [!NOTE] + > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES. + + > [!NOTE] + > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 8b7acbc1b7..6cbc6425b8 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -85,7 +85,23 @@ These requirements help protect you from rootkits while allowing you to run any To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings. -Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems. +The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. + +To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps: + +1. Open the firmware menu, either: + + - Boot the PC, and press the manufacturer’s key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there’s often a screen that mentions the key. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site. + + - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings. + +2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”. + +3. Save changes and exit. + +Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. + +Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems. ## Trusted Boot diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 5356f4bc2d..3ad6efecd1 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -1,16 +1,11 @@ --- title: Back up the TPM recovery information to AD DS (Windows) description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information. -ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/03/2021 diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 7260afb4d5..4337bd6dac 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -1,16 +1,11 @@ --- title: Change the TPM owner password (Windows) description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/18/2022 diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index c54c2521ad..9b2fa9a1f7 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -1,17 +1,12 @@ --- title: How Windows uses the TPM description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security. -ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index a4f56fec1e..b6e14ea7da 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,16 +1,11 @@ --- title: Troubleshoot the TPM (Windows) description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). -ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md index f998c94a96..697fdc3840 100644 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -1,15 +1,10 @@ --- title: Manage TPM commands (Windows) description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765 ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dulcemontemayor manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index 814498c4c7..a28ed8f612 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -1,16 +1,11 @@ --- title: Manage TPM lockout (Windows) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dulcemontemayor manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index dff3ed5386..22a4d729b0 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,16 +1,11 @@ --- title: Understanding PCR banks on TPM 2.0 devices (Windows) description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices. -ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 972a59fcc1..391fb0e733 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -1,16 +1,11 @@ --- title: Trusted Platform Module (TPM) fundamentals (Windows) description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks. -ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 5a343e626c..1790a62ef4 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -1,17 +1,12 @@ --- title: TPM recommendations (Windows) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. -ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 07705c394b..942d2ff588 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -1,17 +1,12 @@ --- title: Trusted Platform Module Technology Overview (Windows) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. -ms.assetid: face8932-b034-4319-86ac-db1163d46538 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: high author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index c70105fc3b..5dadb45989 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,16 +1,11 @@ --- title: TPM Group Policy settings (Windows) description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index c1799559bf..85807ba447 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -2,14 +2,10 @@ title: Trusted Platform Module (Windows) description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 57044c576d..4d6e18a29e 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -1,16 +1,11 @@ --- title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10) description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria -keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index f7bfc44de4..49dd0c2647 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -2,14 +2,10 @@ title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10) description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 1b4ece02db..d382f10da0 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -1,27 +1,26 @@ --- -title: Make & verify an EFS Data Recovery Agent certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. -keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection +title: Create an EFS Data Recovery Agent certificate +description: Follow these steps to create, verify, and perform a quick recovery by using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/05/2019 -ms.reviewer: +ms.topic: how-to +ms.date: 07/15/2022 --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate -**Applies to:** +[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)] + -- Windows 10, version 1607 and later +_Applies to:_ + +- Windows 10 +- Windows 11 If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. @@ -128,7 +127,7 @@ Starting with Windows 10, version 1709, WIP includes a data recovery feature tha To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity. -The employee experience is based on sign in with an Azure AD work account. The employee can either: +The employee experience is based on signing in with an Azure AD work account. The employee can either: - Add a work account through the **Windows Settings > Accounts > Access work or school > Connect** menu. @@ -164,7 +163,3 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) - [Creating a Domain-Based Recovery Agent](/previous-versions/tn-archive/cc875821(v=technet.10)#EJAA) - - ->[!Note] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 3c7680cf51..de0d27d47c 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -1,16 +1,11 @@ --- title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10) description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy -keywords: WIP, Enterprise Data Protection ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index fdbf865d8a..87e2aed9c2 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -1,30 +1,28 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) -description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. -ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 -ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager +title: Create and deploy a WIP policy in Configuration Manager +description: Use Microsoft Endpoint Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 01/09/2020 +ms.topic: how-to +ms.date: 07/15/2022 --- -# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager -**Applies to:** +# Create and deploy a Windows Information Protection policy in Configuration Manager -- Windows 10, version 1607 and later -- Microsoft Endpoint Configuration Manager +[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)] + -Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +_Applies to:_ + +- Windows 10 +- Windows 11 + +Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy. You can choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. @@ -34,18 +32,18 @@ After you've installed and set up Configuration Manager for your organization, y **To create a configuration item for WIP** -1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. +1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png) -2. Click the **Create Configuration Item** button.

                        +2. Select the **Create Configuration Item** button.

                        The **Create Configuration Item Wizard** starts. ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then select **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -53,11 +51,11 @@ The **Create Configuration Item Wizard** starts. - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10 -5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. +5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**. ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png) -6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. +6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**. ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png) @@ -77,7 +75,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap **To add a store app** -1. From the **App rules** area, click **Add**. +1. From the **App rules** area, select **Add**. The **Add app rule** box appears. @@ -85,7 +83,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap 2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. +3. Select **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. @@ -93,7 +91,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap The box changes to show the store app rule options. -5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. +5. Type the name of the app and the name of its publisher, and then select **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. If you don't know the publisher or product name, you can find them for both desktop devices by following these steps. @@ -137,7 +135,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** **To add a desktop app to your policy** -1. From the **App rules** area, click **Add**. +1. From the **App rules** area, select **Add**. The **Add app rule** box appears. @@ -145,7 +143,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** 2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. +3. Select **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. @@ -153,15 +151,15 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** The box changes to show the desktop app rule options. -5. Pick the options you want to include for the app rule (see table), and then click **OK**. +5. Pick the options you want to include for the app rule (see table), and then select **OK**. |Option|Manages| |--- |--- | |All fields left as "*"|All files signed by any publisher. (Not recommended.)| - |**Publisher** selected|All files signed by the named publisher.This might be useful if your company is the publisher and signer of internal line-of-business apps.| + |**Publisher** selected|All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.| |**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.| |**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.| - |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.This option is recommended for enlightened apps that weren't previously enlightened.| + |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.| |**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.| |**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.| @@ -191,31 +189,31 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 1. Open the Local Security Policy snap-in (SecPol.msc). -2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. +2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then select **Packaged App Rules**. ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png) -3. Right-click in the right-hand pane, and then click **Create New Rule**. +3. Right-click in the right-hand pane, and then select **Create New Rule**. The **Create Packaged app Rules** wizard appears. -4. On the **Before You Begin** page, click **Next**. +4. On the **Before You Begin** page, select **Next**. ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png) -5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. +5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**. ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png) -6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. +6. On the **Publisher** page, select **Select** from the **Use an installed packaged app as a reference** area. ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Photos. ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png) -8. On the updated **Publisher** page, click **Create**. +8. On the updated **Publisher** page, select **Create**. ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png) @@ -223,15 +221,15 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png) -10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. +10. In the left pane, right-click on **AppLocker**, and then select **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png) -11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. +11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**. - The policy is saved and you'll see a message that says 1 rule was exported from the policy. + The policy is saved and you'll see a message that says one rule was exported from the policy. **Example XML file**
                        This is the XML file that AppLocker creates for Microsoft Photos. @@ -257,7 +255,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** **To import your Applocker policy file app rule using Configuration Manager** -1. From the **App rules** area, click **Add**. +1. From the **App rules** area, select **Add**. The **Add app rule** box appears. @@ -265,7 +263,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. +3. Select **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. @@ -273,7 +271,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The box changes to let you import your AppLocker XML policy file. -5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box. +5. Select the ellipsis (...) to browse for your AppLocker XML file, select **Open**, and then select **OK** to close the **Add app rule** box. The file is imported and the apps are added to your **App Rules** list. @@ -282,25 +280,25 @@ If you're running into compatibility issues where your app is incompatible with **To exempt a store app, a desktop app, or an AppLocker policy file app rule** -1. From the **App rules** area, click **Add**. +1. From the **App rules** area, select **Add**. The **Add app rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*. -3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. +3. Select **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article. + When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article. 4. Fill out the rest of the app rule info, based on the type of rule you're adding: - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this article. - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this article. - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this article, using a list of exempted apps. -5. Click **OK**. +5. Select **OK**. ## Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. @@ -314,15 +312,15 @@ We recommend that you start with **Silent** or **Override** while verifying with |-----|------------| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

                        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.| +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off |WIP is turned off and doesn't help to protect or audit your data.

                        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).| :::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-appmgmt.png"::: ## Define your enterprise-managed identity domains Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. -You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. +You can specify multiple domains owned by your enterprise by separating them with the `|` character. For example, `contoso.com|newcontoso.com`. With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. **To add your corporate identity** @@ -339,7 +337,7 @@ There are no default locations included with WIP, you must add each of your netw >Every WIP policy should include policy that defines your enterprise network locations.
                        >Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations. -**To define where your protected apps can find and send enterprise data on you network** +**To define where your protected apps can find and send enterprise data on your network** 1. Add additional network locations your apps can access by clicking **Add**. @@ -351,7 +349,7 @@ There are no default locations included with WIP, you must add each of your netw - **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP. - For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. + For each cloud resource, you may also optionally specify a proxy server from your internal proxy servers list to route traffic for this cloud resource. All traffic routed through your internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`. @@ -364,7 +362,7 @@ There are no default locations included with WIP, you must add each of your netw >[!Important] > In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. - - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. + - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. @@ -414,7 +412,7 @@ There are no default locations included with WIP, you must add each of your netw **Format examples**: `sts.contoso.com,sts.contoso2.com` -3. Add as many locations as you need, and then click **OK**. +3. Add as many locations as you need, and then select **OK**. The **Add or edit corporate network definition** box closes. @@ -422,13 +420,13 @@ There are no default locations included with WIP, you must add each of your netw :::image type="content" alt-text="Create Configuration Item wizard, Add whether to search for additional network settings" source="images/wip-configmgr-optsettings.png"::: - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option. + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option. - - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option. + - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Select this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option. -5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. +5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png) @@ -458,27 +456,26 @@ After you've decided where your protected apps can access enterprise data on you - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. -2. After you pick all of the settings you want to include, click **Summary**. +2. After you pick all of the settings you want to include, select **Summary**. ## Review your configuration choices in the Summary screen After you've finished configuring your policy, you can review all of your info on the **Summary** screen. **To view the Summary screen** -- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. +- Select the **Summary** button to review your policy choices, and then select **Next** to finish and to save your policy. ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png) - A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. + A progress bar appears, showing you progress for your policy. After it's done, select **Close** to return to the **Configuration Items** page. ## Deploy the WIP policy -After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: -- [Operations and Maintenance for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699357(v=technet.10)) +After you've created your WIP policy, you'll need to deploy it to your organization's devices. For more information about your deployment options, see the following articles: -- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg712268(v=technet.10)) +- [Create configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/create-configuration-baselines) -- [How to Deploy Configuration Baselines in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/hh219289(v=technet.10)) +- [How to deploy configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines) -## Related topics +## Related articles - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 3fa8df029b..06970b38c5 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -1,25 +1,25 @@ --- -title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10) -description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. +title: Create a WIP policy in Intune +description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 05/13/2019 -ms.reviewer: +ms.topic: how-to +ms.date: 07/15/2022 --- -# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune +# Create a Windows Information Protection policy in Microsoft Intune -**Applies to:** +[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)] + -- Windows 10, version 1607 and later +_Applies to:_ + +- Windows 10 +- Windows 11 Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. @@ -122,7 +122,7 @@ If you don't know the Store app publisher or product name, you can find them by 4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune. >[!Important] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. > > For example: > @@ -151,7 +151,7 @@ If you don't know the Store app publisher or product name, you can find them by 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. >[!Important] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. > > For example: > @@ -168,19 +168,19 @@ To add **Desktop apps**, complete the following fields, based on what results yo |Field|Manages| |--- |--- | -|All fields marked as “*”|All files signed by any publisher. (Not recommended and may not work)| -|Publisher only|If you only fill out this field, you’ll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.| -|Publisher and Name only|If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.| -|Publisher, Name, and File only|If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.| -|Publisher, Name, File, and Min version only|If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.| -|Publisher, Name, File, and Max version only|If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.| -|All fields completed|If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.| +|All fields marked as `*`|All files signed by any publisher. (Not recommended and may not work)| +|Publisher only|If you only fill out this field, you'll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.| +|Publisher and Name only|If you only fill out these fields, you'll get all files for the specified product, signed by the named publisher.| +|Publisher, Name, and File only|If you only fill out these fields, you'll get any version of the named file or package for the specified product, signed by the named publisher.| +|Publisher, Name, File, and Min version only|If you only fill out these fields, you'll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.| +|Publisher, Name, File, and Max version only|If you only fill out these fields, you'll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.| +|All fields completed|If you fill out all fields, you'll get the specified version of the named file or package for the specified product, signed by the named publisher.| -To add another Desktop app, select the ellipsis **…**. After you’ve entered the info into the fields, select **OK**. +To add another Desktop app, select the ellipsis `…`. After you've entered the info into the fields, select **OK**. ![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png) -If you’re unsure about what to include for the publisher, you can run this PowerShell command: +If you're unsure about what to include for the publisher, you can run this PowerShell command: ```powershell Get-AppLockerFileInformation -Path "" @@ -206,7 +206,7 @@ Regarding to how to get the Product Name for the Apps you wish to Add, contact t ### Import a list of apps -This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. +This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You'll use this option if you want to add multiple apps at the same time. - [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps) - [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps) @@ -237,7 +237,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo ![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we’re using Microsoft Dynamics 365. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Dynamics 365. ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png) @@ -261,7 +261,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**. - The policy is saved and you’ll see a message that says one rule was exported from the policy. + The policy is saved and you'll see a message that says one rule was exported from the policy. **Example XML file**
                        This is the XML file that AppLocker creates for Microsoft Dynamics 365. @@ -285,7 +285,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Intune. +12. After you've created your XML file, you need to import it by using Microsoft Intune. ## Create an Executable rule for unsigned apps @@ -307,7 +307,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png) -7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files". +7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we're using "C:\Program Files". ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png) @@ -319,9 +319,9 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**. - The policy is saved and you’ll see a message that says one rule was exported from the policy. + The policy is saved and you'll see a message that says one rule was exported from the policy. -12. After you’ve created your XML file, you need to import it by using Microsoft Intune. +12. After you've created your XML file, you need to import it by using Microsoft Intune. **To import a list of protected apps using Microsoft Intune** @@ -347,9 +347,9 @@ If your app is incompatible with WIP, but still needs to be used with enterprise 2. In **Exempt apps**, select **Add apps**. - When you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. + When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. -3. Fill out the rest of the app info, based on the type of app you’re adding: +3. Fill out the rest of the app info, based on the type of app you're adding: - [Add Recommended apps](#add-recommended-apps) @@ -375,12 +375,12 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| - |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

                        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| + |Off |WIP is turned off and doesn't help to protect or audit your data.

                        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).| 2. Select **Save**. ## Define your enterprise-managed corporate identity -Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. +Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field. @@ -388,7 +388,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor 1. From **App policy**, select the name of your policy, and then select **Required settings**. -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. +2. If the auto-defined identity isn't correct, you can change the info in the **Corporate identity** field. ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png) @@ -399,7 +399,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. -There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. @@ -424,7 +424,7 @@ Personal applications can access a cloud resource that has a blank space or an i To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks). -In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. +In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting. For example: @@ -470,9 +470,9 @@ corp.contoso.com,region.contoso.com ### Proxy servers Specify the proxy servers your devices will go through to reach your cloud resources. -Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. +Using this server type indicates that the cloud resources you're connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Internal proxy servers list. +This list shouldn't include any servers listed in your Internal proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. @@ -482,9 +482,9 @@ proxy.contoso.com:80;proxy2.contoso.com:443 ### Internal proxy servers -Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. +Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. +This list shouldn't include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. @@ -496,7 +496,7 @@ contoso.internalproxy1.com;contoso.internalproxy2.com Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. -Classless Inter-Domain Routing (CIDR) notation isn’t supported. +Classless Inter-Domain Routing (CIDR) notation isn't supported. Separate multiple ranges with the "," delimiter. @@ -511,13 +511,13 @@ Starting with Windows 10, version 1703, this field is optional. Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your network domain names, define your corporate network boundaries. -Classless Inter-Domain Routing (CIDR) notation isn’t supported. +Classless Inter-Domain Routing (CIDR) notation isn't supported. Separate multiple ranges with the "," delimiter. -**Starting IPv6 Address:** 2a01:110::
                        -**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                        -**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                        fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +**Starting IPv6 Address:** `2a01:110::`
                        +**Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
                        +**Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,'
                        'fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff` ### Neutral resources @@ -538,10 +538,10 @@ Decide if you want Windows to look for more network settings: ![Microsoft Intune, Choose if you want Windows to search for more proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png) ## Upload your Data Recovery Agent (DRA) certificate -After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. +After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. >[!Important] ->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). +>Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). **To upload your DRA certificate** 1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears. @@ -557,11 +557,11 @@ After you've decided where your protected apps can access enterprise data on you ![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png) -**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: +**Revoke encryption keys on unenroll.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. -- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. +- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions. **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: @@ -569,11 +569,11 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. -**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). +**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). -- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. +- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files. - If you don’t specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access. + If you don't specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it's a regular EFS file using a default RMS template that all users can access. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -605,6 +605,3 @@ You can restrict which files are protected by WIP when they're downloaded from a - [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment) - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) - -> [!NOTE] -> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index c81eea7fca..d097f3b77a 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -1,16 +1,11 @@ --- title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10) description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/05/2019 diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 21a45af6ca..021ea7ed44 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -1,18 +1,12 @@ --- title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10) description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them. -ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/02/2019 diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 1f6aaa6f4e..df344aface 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -1,18 +1,12 @@ --- title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10) description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart. -ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md new file mode 100644 index 0000000000..1d285e189d --- /dev/null +++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md @@ -0,0 +1,126 @@ +--- +title: How to disable Windows Information Protection (WIP) +description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Endpoint Configuration Manager. +ms.date: 07/21/2022 +ms.prod: m365-security +ms.topic: how-to +ms.localizationpriority: medium +author: lizgt2000 +ms.author: lizlong +ms.reviewer: aaroncz +manager: dougeby +--- + +# How to disable Windows Information Protection (WIP) + +[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)] + + +_Applies to:_ + +- Windows 10 +- Windows 11 + +## Use Intune to disable WIP + +To disable Windows Information Protection (WIP) using Intune, you have the following options: + +### Option 1 - Unassign the WIP policy (preferred) + +When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign). + +### Option 2 - Change current WIP policy to off + +If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP. + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Open Microsoft Intune and select **Apps** > **App protection policies**. +1. Select the existing policy to turn off, and then select the **Properties**. +1. Edit **Required settings**. + :::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png"::: +1. Set **Windows Information Protection mode** to off. +1. After making this change, select **Review and Save**. +1. Select **Save**. + +> [!NOTE] +> **Another option is to create a disable policy that sets WIP to Off.** +> +> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once. + +### Revoke local encryption keys during the unenrollment process + +Determine whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + +- Yes, or not configured. Revokes local encryption keys from a device during unenrollment. +- No (recommended). Stop local encryption keys from being revoked from a device during unenrollment. + +## Use Configuration Manager to disable WIP + +To disable Windows Information Protection (WIP) using Configuration Manager, create a new configuration item that turns off WIP. Configure that new object for your environment to match the existing policy, except for disabling WIP. Then deploy the new policy, and move devices into the new collection. + +> [!WARNING] +> Don't just delete your existing WIP policy. If you delete the old policy, Configuration Manager stops sending further WIP policy updates, but also leaves WIP enforced on the devices. To remove WIP from your managed devices, follow the steps in this section to create a new policy to turn off WIP. + +### Create a WIP policy + +To disable WIP for your organization, first create a configuration item. + +1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. + +2. Select the **Create Configuration Item** button. + The **Create Configuration Item Wizard** starts. + + ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen-off.png) + +3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + +4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**. + +5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**. + +6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**. + +The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The following sections provide details on the required settings on this page. + +> [!TIP] +> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr). + +#### Turn off WIP + +Of the four options to specify the restriction mode, select **Off** to turn off Windows Information Protection. + +:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png"::: + +#### Specify the corporate identity + +Paste the value of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. + +![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png) + +> [!IMPORTANT] +> This corporate identity value must match the string in the original policy. Copy and paste the string from your original policy that enables WIP. + +#### Specify the corporate network definition + +For the **Corporate network definition**, select **Add** to specify the necessary network locations. The **Add or edit corporate network definition** box appears. Add the required fields. + +> [!IMPORTANT] +> These corporate network definitions must match the original policy. Copy and paste the strings from your original policy that enables WIP. + +#### Specify the data recovery agent certificate + +In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. This certificate should be the same as the original policy that enables WIP. + +![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png) + +### Deploy the WIP policy + +After you've created the new policy to turn off WIP, deploy it to your organization's devices. For more information about deployment options, see the following articles: + +- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines). + +- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections). + +- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines). + +- Move devices from the old collection to new collection. diff --git a/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png b/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png new file mode 100644 index 0000000000..e5cb84a44e Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png new file mode 100644 index 0000000000..f1cf7c107d Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png new file mode 100644 index 0000000000..ab05d9607a Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png differ diff --git a/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md new file mode 100644 index 0000000000..398ac1dfdc --- /dev/null +++ b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md @@ -0,0 +1,12 @@ +--- +author: aczechowski +ms.author: aaroncz +ms.prod: windows +ms.topic: include +ms.date: 07/20/2022 +--- + +> [!NOTE] +> Starting in July 2022, Microsoft is deprecating Windows Information Protection (WIP). Microsoft will continue to support WIP on supported versions of Windows. New versions of Windows won't include new capabilities for WIP, and it won't be supported in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection](https://go.microsoft.com/fwlink/?linkid=2202124). +> +> For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Purview simplifies the configuration set-up and provides an advanced set of capabilities. diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 18726f1c02..73f91f204f 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -1,59 +1,59 @@ --- -title: Limitations while using Windows Information Protection (WIP) (Windows 10) +title: Limitations while using Windows Information Protection (WIP) description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/05/2019 -ms.reviewer: ms.localizationpriority: medium --- # Limitations while using Windows Information Protection (WIP) -**Applies to:** -- Windows 10, version 1607 and later +_Applies to:_ + +- Windows 10 +- Windows 11 This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization. - **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - **How it appears**: - - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703. - - If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + - If you're using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703. + - If you're not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. - **Workaround**: Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited. We strongly recommend educating employees about how to limit or eliminate the need for this decryption. - **Limitation**: Direct Access is incompatible with Windows Information Protection. - - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. + - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn't a corporate network resource. - **Workaround**: We recommend that you use VPN for client access to your intranet resources. > [!NOTE] - > VPN is optional and isn’t required by Windows Information Protection. + > VPN is optional and isn't required by Windows Information Protection. - **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings. - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. - **Workaround**: If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. -- **Limitation**: Cortana can potentially allow data leakage if it’s on the allowed apps list. +- **Limitation**: Cortana can potentially allow data leakage if it's on the allowed apps list. - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. - - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. + - **Workaround**: We don't recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. + + - **Limitation**: Windows Information Protection is designed for use by a single user per device. - - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. - - **Workaround**: We recommend only having one user per managed device. + - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user's content can be revoked during the unenrollment process. + - **Workaround**: Have only one user per managed device. + - If this scenario occurs, it may be possible to mitigate. Once protection is disabled, a second user can remove protection by changing the file ownership. Although the protection is in place, the file remains accessible to the user. - **Limitation**: Installers copied from an enterprise network file share might not work properly. - - **How it appears**: An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. + - **How it appears**: An app might fail to properly install because it can't read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. - **Workaround**: To fix this, you can: - Start the installer directly from the file share. @@ -63,9 +63,9 @@ This following list provides info about the most common problems you might encou OR - - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list. + - Mark the file share with the installation media as "personal". To do this, you'll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you'll need to put the file server on the Enterprise Proxy Server list. -- **Limitation**: Changing your primary Corporate Identity isn’t supported. +- **Limitation**: Changing your primary Corporate Identity isn't supported. - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. @@ -90,7 +90,7 @@ This following list provides info about the most common problems you might encou - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload. - **Limitation**: ActiveX controls should be used with caution. - - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection. + - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren't protected by using Windows Information Protection. - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). @@ -99,7 +99,7 @@ This following list provides info about the most common problems you might encou - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail. - **Workaround**: Format drive for NTFS, or use a different drive. -- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: +- **Limitation**: Windows Information Protection isn't turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: - AppDataRoaming - Desktop - StartMenu @@ -116,8 +116,8 @@ This following list provides info about the most common problems you might encou
                        - - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager. - - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders). + - **How it appears**: Windows Information Protection isn't turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager. + - **Workaround**: Don't set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders). If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline. @@ -142,7 +142,7 @@ This following list provides info about the most common problems you might encou 2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop. 3. Copy the notebook folder and Paste it back into the OneDrive for Business folder. - Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button. + Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the "Open in app" button. - **Limitation**: Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected. - **How it appears**: If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 6c2ccfde53..26beadd011 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -1,16 +1,11 @@ --- title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise. -keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/25/2022 diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index c017a7e4f6..f60db36a4f 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -1,17 +1,12 @@ --- title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. -ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index 348af05f36..9c4593f028 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -1,17 +1,12 @@ --- title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy. -ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/11/2019 diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 89d703af97..82bb52d344 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -1,32 +1,29 @@ --- -title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10) +title: Protect your enterprise data using Windows Information Protection description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud. -ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, DLP, data loss prevention, data leakage protection ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: - M365-security-compliance - - highpri -ms.topic: conceptual -ms.date: 03/05/2019 +ms.topic: overview +ms.date: 07/15/2022 --- # Protect your enterprise data using Windows Information Protection (WIP) -**Applies to:** -- Windows 10, version 1607 and later +[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)] + ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). +_Applies to:_ -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. +- Windows 10 +- Windows 11 + +With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. @@ -38,18 +35,18 @@ Windows Information Protection (WIP), previously known as enterprise data protec > [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh] ## Prerequisites -You’ll need this software to run Windows Information Protection in your enterprise: +You'll need this software to run Windows Information Protection in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 or later | Microsoft Intune

                        -OR-

                        Microsoft Endpoint Configuration Manager

                        -OR-

                        Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune

                        -OR-

                        Microsoft Endpoint Configuration Manager

                        -OR-

                        Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.| ## What is enterprise data control? -Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. +Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. -As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn’t guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they’re not enough. +As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they're not enough. -In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don’t allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls. +In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don't allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls. ### Using data loss prevention systems To help address this security insufficiency, companies developed data loss prevention (also known as DLP) systems. Data loss prevention systems require: @@ -59,15 +56,15 @@ To help address this security insufficiency, companies developed data loss preve - **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry). -Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand. +Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand. ### Using information rights management systems To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on. -After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won’t be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees’ work might be unexpectedly interrupted if he or she attempts to use a non-compatible app. +After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won't be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees' work might be unexpectedly interrupted if he or she attempts to use a non-compatible app. ### And what about when an employee leaves the company or unenrolls a device? -Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device. +Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device. ## Benefits of WIP Windows Information Protection provides: @@ -84,17 +81,17 @@ Windows Information Protection provides: ## Why use WIP? Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). -- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn't using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally maintained as enterprise data. - **Manage your enterprise documents, apps, and encryption modes.** - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn't paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. - You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list. + You don't have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list. - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). @@ -103,9 +100,9 @@ Windows Information Protection is the mobile application management (MAM) mechan Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document. - - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. + - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn't on your protected apps list, employees won't be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. - - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. + - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn't. - **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. @@ -121,7 +118,7 @@ Windows Information Protection helps address your everyday challenges in the ent - Helping to maintain the ownership and control of your enterprise data. -- Helping control the network and data access and data sharing for apps that aren’t enterprise aware +- Helping control the network and data access and data sharing for apps that aren't enterprise aware ### Enterprise scenarios Windows Information Protection currently addresses these enterprise scenarios: @@ -131,12 +128,12 @@ Windows Information Protection currently addresses these enterprise scenarios: - You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data. -- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. +- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn't required. ### WIP-protection modes -Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. +Enterprise data is automatically encrypted after it's loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. -Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. +Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don't have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it's personally owned. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). @@ -145,19 +142,14 @@ You can set your Windows Information Protection policy to use 1 of 4 protection |Mode|Description| |----|-----------| -|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization's network.| |Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| -|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| -|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.

                        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. | +|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would've been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| +|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.

                        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. | ## Turn off WIP -You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. +You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won't be automatically reapplied. ## Next steps -After deciding to use WIP in your enterprise, you need to: -- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) - - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +After you decide to use WIP in your environment, [create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md). diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index c55f4fe75b..14f23ff7f7 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -1,16 +1,11 @@ --- title: Recommended URLs for Windows Information Protection (Windows 10) description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/25/2019 diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 247a47ecf5..4f2fdaa90d 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -1,18 +1,12 @@ --- title: Testing scenarios for Windows Information Protection (WIP) (Windows 10) description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. -ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/05/2019 diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index c1188fad4b..78349eb5ab 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -1,16 +1,11 @@ --- title: Using Outlook on the web with WIP (Windows 10) description: Options for using Outlook on the web with Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 84dae48f11..20d519622f 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -1,16 +1,11 @@ --- title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10) description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 9c173860f4..dc79e60f50 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -77,13 +77,13 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -137,7 +137,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ - **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object). - SDDL contains Central Access Policy SID, here is an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name you need to do the following: + SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps: 1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container. @@ -166,11 +166,11 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ |-------|--------------------------------------|-------|---------------------------------| | "AO" | Account operators | "PA" | Group Policy administrators | | "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user | -| "AN" | Anonymous logon | "LA" | Local administrator | +| "AN" | Anonymous sign in | "LA" | Local administrator | | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -182,7 +182,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -202,7 +202,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -228,7 +228,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -239,7 +239,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -261,7 +261,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles: , . @@ -277,7 +277,7 @@ For 4913(S): Central Access Policy on the object was changed. - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 2899b77a51..64481ef466 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -97,12 +97,12 @@ Failure event generates if an error occurs (**Status Code** != 0). Directory Replication Service options in AD Sites and Services -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4928(S, F): An Active Directory replica source naming context was established. -- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index 8d4802ca42..bd67b19fac 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -89,18 +89,18 @@ Failure event generates if an error occurs (**Status Code** != 0). - **Source Address** \[Type = UnicodeString\]: DNS record of the server from which the “remove” request was received. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was removed. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was removed. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4929(S, F): An Active Directory replica source naming context was removed. -- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index ad5d6086a1..c63813a961 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -27,7 +27,7 @@ This event generates every time Active Directory replica source naming context w Failure event generates if an error occurs (**Status Code** != 0). -It is not possible to understand what exactly was modified from this event. +It isn't possible to understand what exactly was modified from this event. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,18 +91,18 @@ It is not possible to understand what exactly was modified from this event. - **Source Address** \[Type = UnicodeString\]: DNS record of computer from which the modification request was received. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4930(S, F): An Active Directory replica source naming context was modified. -- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 39a7be5a64..46b91b742c 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -27,7 +27,7 @@ This event generates every time Active Directory replica destination naming cont Failure event generates if an error occurs (**Status Code** != 0). -It is not possible to understand what exactly was modified from this event. +It isn't possible to understand what exactly was modified from this event. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,13 +91,13 @@ It is not possible to understand what exactly was modified from this event. - **Destination Address** \[Type = UnicodeString\]: DNS record of computer to which the modification request was sent. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index f5581407ab..cc7ffb2eec 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates every time Windows Firewall service starts. -This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile. +This event shows the inbound and/or outbound rule that was listed when the Windows Firewall started and applied for “Public” profile. This event generates per rule. @@ -75,11 +75,11 @@ This event generates per rule. - **Rule ID** \[Type = UnicodeString\]: the unique firewall rule identifier. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -89,5 +89,5 @@ For 4945(S): A rule was listed when the Windows Firewall started. - Typically this event has an informational purpose. -- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same. +- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration isn't the same. diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 505cec18fb..5a3a44929a 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -71,11 +71,11 @@ This event doesn't generate when new rule was added via Group Policy. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -87,11 +87,11 @@ This event doesn't generate when new rule was added via Group Policy. - **Rule ID** \[Type = UnicodeString\]: the unique new firewall rule identifier. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -99,5 +99,5 @@ This event doesn't generate when new rule was added via Group Policy. For 4946(S): A change has been made to Windows Firewall exception list. A rule was added. -- This event can be helpful in case you want to monitor all creations of new Firewall rules which were done locally. +- This event can be helpful in case you want to monitor all creations of new Firewall rules that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 65c71e3cd4..ecc34d3112 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -71,11 +71,11 @@ This event doesn't generate when the rule was deleted via Group Policy. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -87,11 +87,11 @@ This event doesn't generate when the rule was deleted via Group Policy. - **Rule ID** \[Type = UnicodeString\]: the unique identifier for deleted firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -99,5 +99,5 @@ This event doesn't generate when the rule was deleted via Group Policy. For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. -- This event can be helpful in case you want to monitor all deletions of Firewall rules which were done locally. +- This event can be helpful in case you want to monitor all deletions of Firewall rules that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 69db4a04e2..8c7148eb98 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -77,7 +77,7 @@ This event doesn't generate when Windows Firewall setting was changed via Group **New Setting:** -- **Type** \[Type = UnicodeString\]: the name of the setting which was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command: +- **Type** \[Type = UnicodeString\]: the name of the setting that was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command: Netsh advfirewall command illustration @@ -89,5 +89,5 @@ For 4950(S): A Windows Firewall setting has changed. - If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline. -- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally. +- This event can be helpful in case you want to monitor all changes in Windows Firewall settings that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 060b9c4b83..6f7ede1970 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -1,6 +1,6 @@ --- -title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10) -description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. +title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. (Windows 10) +description: Describes security event 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. +# 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. Event 4951 illustration @@ -25,7 +25,7 @@ ms.technology: windows-sec When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions. -If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule. +If you create a firewall rule on a newer version of Windows that references firewall settings that aren't available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it can't process the rule. The only solution is to remove the incompatible rule, and then deploy a compatible rule. @@ -73,11 +73,11 @@ The only solution is to remove the incompatible rule, and then deploy a compatib - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -89,17 +89,17 @@ The only solution is to remove the incompatible rule, and then deploy a compatib - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration ## Security Monitoring Recommendations -For 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. +For 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 2d31faae0c..c327d3a349 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -1,6 +1,6 @@ --- -title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10) -description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed. +title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. (Windows 10) +description: Describes security event 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4953(F): Windows Firewall ignored a rule because it could not be parsed. +# 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. Event 4953 illustration @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason. +This event generates if Windows Firewall wasn't able to parse Windows Firewall rule for some reason. It can happen if Windows Firewall rule registry entry was corrupted. @@ -72,11 +72,11 @@ It can happen if Windows Firewall rule registry entry was corrupted. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -90,7 +90,7 @@ It can happen if Windows Firewall rule registry entry was corrupted. - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration @@ -100,7 +100,7 @@ It can happen if Windows Firewall rule registry entry was corrupted. ## Security Monitoring Recommendations -For 4953(F): Windows Firewall ignored a rule because it could not be parsed. +For 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index b83701e32b..5abad05870 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -1,6 +1,6 @@ --- title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) -description: Describes security event 4957(F) Windows Firewall did not apply the following rule. +description: Describes security event 4957(F) Windows Firewall didn't apply the following rule. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason. +This event generates when Windows Firewall starts or apply new rule, and the rule can't be applied for some reason. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -69,17 +69,17 @@ This event generates when Windows Firewall starts or apply new rule, and the rul - **ID** \[Type = UnicodeString\]: the unique identifier for not applied firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Name** \[Type = UnicodeString\]: the name of the rule which was not applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Name** \[Type = UnicodeString\]: the name of the rule that wasn't applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration **Error Information:** -- **Reason** \[Type = UnicodeString\]: the reason why the rule was not applied. +- **Reason** \[Type = UnicodeString\]: the reason why the rule wasn't applied. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 3fc2c85a83..4bd2da3a99 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -1,6 +1,6 @@ --- title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) -description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. +description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -17,15 +17,15 @@ ms.technology: windows-sec # 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. -Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied. +Windows Firewall with Advanced Security processed a rule that contains parameters that can't be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This exclusion isn't necessarily an error. Examine the rule for applicability on the computers to which it was applied. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md) ***Event Schema:*** -*Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: +*Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer: Rule Information: %tID:%t%1 %tName:%t%2 diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 9216275f2d..86502afb98 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -19,9 +19,9 @@ ms.technology: windows-sec Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message. -This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies was not started. +This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies wasn't started. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other System Events](audit-other-system-events.md) diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index b54933cde7..0e6d81e9ac 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). -If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections. +If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you'll get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -82,8 +82,8 @@ For 5031(F): The Windows Firewall Service blocked an application from accepting - You can use this event to detect applications for which no Windows Firewall rules were created. -- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. +- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index dbb32f1459..60b2f51b2d 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -1,6 +1,6 @@ --- title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) -description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. +description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -19,11 +19,11 @@ ms.technology: windows-sec The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. -This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file is not valid. +This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file isn't valid. -Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 7194197d62..aec25c2291 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -19,9 +19,9 @@ ms.technology: windows-sec This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during standard LUAFV registry key virtualization. +This event occurs rarely during standard LUAFV registry key virtualization. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Registry](audit-registry.md) @@ -59,7 +59,7 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. +- There's no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 67f25e7071..530cebdbe3 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -19,9 +19,9 @@ ms.technology: windows-sec This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during standard LUAFV file virtualization. +This event occurs rarely during standard LUAFV file virtualization. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit File System](audit-file-system.md) @@ -59,5 +59,5 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. +- There's no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index a0be07f3bf..b8d749b9fe 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for CNG troubleshooting. +This event is used for CNG troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 8ef262994a..6f251535e5 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5057(F): A cryptographic primitive operation failed. -This event generates in case of CNG primitive operation failure. +This event generates if there's a CNG primitive operation failure. For more information about Cryptographic Next Generation (CNG) visit these pages: @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index eaa7c1b441..42a31d7a3a 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used: +This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used: - Microsoft Software Key Storage Provider @@ -81,13 +81,13 @@ You can see these events, for example, during certificate renewal or export oper **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key file operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -109,7 +109,7 @@ You can see these events, for example, during certificate renewal or export oper - Microsoft Smart Card Key Storage Provider -- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values: +- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values: - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman. @@ -129,7 +129,7 @@ You can see these events, for example, during certificate renewal or export oper - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length. -- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example: +- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example: Certutil command illustration diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index e20a614013..b8f9fb0ef7 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -27,9 +27,9 @@ For more information about CNG, visit these pages: - -This event is mainly used for CNG troubleshooting. +This event is used for CNG troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index af59c9ccb8..58bcd9848d 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used: +This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used: - Microsoft Software Key Storage Provider @@ -78,13 +78,13 @@ This event generates when a cryptographic operation (open key, create key, creat **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested specific cryptographic operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -106,7 +106,7 @@ This event generates when a cryptographic operation (open key, create key, creat - Microsoft Smart Card Key Storage Provider -- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values: +- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values: - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman. @@ -126,7 +126,7 @@ This event generates when a cryptographic operation (open key, create key, creat - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length. -- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example: +- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example: Certutil command illustration diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 5038c7efce..ca597eccaf 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5063(S, F): A cryptographic provider operation was attempted. -This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic provider was registered or unregistered. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 58926d7958..ae83f4488b 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5064(S, F): A cryptographic context operation was attempted. -This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic context was created or deleted. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 7e24add6fe..e382f07e2f 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -16,8 +16,7 @@ ms.technology: windows-sec # 5065(S, F): A cryptographic context modification was attempted. - -This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when configuration information was changed for existing CNG context. @@ -27,9 +26,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 310525c71a..6a40bb0b06 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5066(S, F): A cryptographic function operation was attempted. -This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 509b5d140a..02b76446df 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -17,19 +17,19 @@ ms.technology: windows-sec # 5067(S, F): A cryptographic function modification was attempted. -This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when configuration information for the cryptographic function of an existing CNG context was changed. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 1214a053db..ed2e8582db 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -17,17 +17,17 @@ ms.technology: windows-sec # 5068(S, F): A cryptographic function provider operation was attempted. -This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These functions are Cryptographic Next Generation (CNG) functions. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index dadbcf3347..fc14219958 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -17,19 +17,19 @@ ms.technology: windows-sec # 5069(S, F): A cryptographic function property operation was attempted. -This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was added or removed. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 5763a4dba1..f21b182de2 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5070(S, F): A cryptographic function property modification was attempted. -This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was updated. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 2d8d45b93a..26b6d241f5 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -27,7 +27,7 @@ This event generates every time an Active Directory object is modified. To generate this event, the modified object must have an appropriate entry in [SACL](/windows/win32/secauthz/access-control-lists): the “**Write”** action auditing for specific attributes. -For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value. +For a change operation, you'll typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -82,13 +82,13 @@ For a change operation you will typically see two 5136 events for one action, wi **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -142,13 +142,13 @@ For a change operation you will typically see two 5136 events for one action, wi - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -180,7 +180,7 @@ For a change operation you will typically see two 5136 events for one action, wi > **Note**  [LDAP Display Name](/windows/win32/adschema/a-ldapdisplayname) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol. -- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined. +- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes aren't represented as objects in the schema, but they're programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined. | OID | Syntax Name | Description | |----------|--------------------------------------------|----------------------------------------------------------| @@ -189,7 +189,7 @@ For a change operation you will typically see two 5136 events for one action, wi | 2.5.5.2 | String(Object-Identifier) | The object identifier. | | 2.5.5.3 | Case-Sensitive String | General String. | | 2.5.5.4 | CaseIgnoreString(Teletex) | Differentiates uppercase and lowercase. | -| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Does not differentiate uppercase and lowercase. | +| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Doesn't differentiate uppercase and lowercase. | | 2.5.5.6 | String(Numeric) | Printable string or IA5-String. | | 2.5.5.7 | Object(DN-Binary) | Both character sets are case-sensitive. | | 2.5.5.8 | Boolean | A sequence of digits. | @@ -205,7 +205,7 @@ For a change operation you will typically see two 5136 events for one action, wi > Table 10. LDAP Attribute Syntax OIDs. -- **Value** \[Type = UnicodeString\]: the value which was added or deleted, depending on the **Operation\\Type** field. +- **Value** \[Type = UnicodeString\]: the value that was added or deleted, depending on the **Operation\\Type** field. **Operation:** @@ -235,4 +235,4 @@ For 5136(S): A directory service object was modified. - If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name. -- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file +- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index f5b8f335af..0a90a9f3a9 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -76,13 +76,13 @@ This event only generates if the parent object has a particular entry in its [SA **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -136,13 +136,13 @@ This event only generates if the parent object has a particular entry in its [SA - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -182,4 +182,4 @@ For 5137(S): A directory service object was created. - If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class. -- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.). \ No newline at end of file +- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There's no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.). \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 93dac293aa..0757dcd92c 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -77,13 +77,13 @@ This event only generates if the container to which the Active Directory object **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -105,7 +105,7 @@ This event only generates if the container to which the Active Directory object **Object:** -- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it. +- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will point to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. > @@ -139,13 +139,13 @@ This event only generates if the container to which the Active Directory object - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -185,4 +185,4 @@ For 5138(S): A directory service object was undeleted. - If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name. -- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted. \ No newline at end of file +- It may be a good idea to monitor all undelete events, because the operation isn't performed often. Confirm that there's a reason for the object to be undeleted. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index 00145f3a61..eabd06efdf 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -77,13 +77,13 @@ This event only generates if the destination object has a particular entry in it **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -139,13 +139,13 @@ This event only generates if the destination object has a particular entry in it - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -185,4 +185,4 @@ For 5139(S): A directory service object was moved. - If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name. -- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.). \ No newline at end of file +- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There's no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.). \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 067637aa9b..b5ae516ec7 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -78,13 +78,13 @@ This event generates once per session, when first access attempt was made. **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -120,7 +120,7 @@ This event generates once per session, when first access attempt was made. - ::1 or 127.0.0.1 means localhost. -- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access. +- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access. - 0 for local access attempts. @@ -134,7 +134,7 @@ This event generates once per session, when first access attempt was made. - **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event. -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. +- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. ## Security Monitoring Recommendations @@ -144,9 +144,9 @@ For 5140(S, F): A network share object was accessed. - If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers. -- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range. +- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range. -- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**). +- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**). - If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event. diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index f69e095286..e63227b1ad 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -77,13 +77,13 @@ This event only generates if the deleted object has a particular entry in its [S **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -137,13 +137,13 @@ This event only generates if the deleted object has a particular entry in its [S - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -193,4 +193,4 @@ For 5141(S): A directory service object was deleted. - If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class. -- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion. \ No newline at end of file +- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects that shouldn't be deleted, monitor for their deletion. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 636a19a1bd..e533127f2a 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -78,13 +78,13 @@ This event generates every time network share object was modified. **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -120,9 +120,9 @@ This event generates every time network share object was modified. Advanced Sharing illustration -- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set. +- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set. -- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set. +- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set. - **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited. @@ -155,7 +155,7 @@ This event generates every time network share object was modified. | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -167,7 +167,7 @@ This event generates every time network share object was modified. | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -187,7 +187,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -213,7 +213,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -224,7 +224,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -246,7 +246,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles: , . diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 9c980ce0f3..1368fde95e 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -78,13 +78,13 @@ This event generates every time network share object (file or folder) was access **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -120,7 +120,7 @@ This event generates every time network share object (file or folder) was access - ::1 or 127.0.0.1 means localhost. -- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access. +- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access. - 0 for local access attempts. @@ -136,7 +136,7 @@ This event generates every time network share object (file or folder) was access - **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. +- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. ## Table of file access codes @@ -144,10 +144,10 @@ This event generates every time network share object (file or folder) was access |-----------------------------------------------------------|----------------------------|---------------| | ReadData (or ListDirectory) | 0x1,
                        %%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
                        **ListDirectory -** For a directory, the right to list the contents of the directory. | | WriteData (or AddFile) | 0x2,
                        %%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
                        **AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
                        %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
                        **AddSubdirectory -** For a directory, the right to create a subdirectory.
                        **CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
                        %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations won't overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
                        **AddSubdirectory -** For a directory, the right to create a subdirectory.
                        **CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA | 0x8,
                        %%4419 | The right to read extended file attributes. | | WriteEA | 0x10,
                        %%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
                        %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
                        **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**  [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. | +| Execute/Traverse | 0x20,
                        %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
                        **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**  [access right](/windows/win32/secauthz/access-rights-and-access-masks). For more information, see the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights). | | DeleteChild | 0x40,
                        %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80,
                        %%4423 | The right to read file attributes. | | WriteAttributes | 0x100,
                        %%4424 | The right to write file attributes. | @@ -155,7 +155,7 @@ This event generates every time network share object (file or folder) was access | READ\_CONTROL | 0x20000,
                        %%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | | WRITE\_DAC | 0x40000,
                        %%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | | WRITE\_OWNER | 0x80000,
                        %%1540 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000,
                        %%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| SYNCHRONIZE | 0x100000,
                        %%1541 | The right to use the object for synchronization. This right enables a thread to wait until the object is in the signaled state. Some object types don't support this access right. | | ACCESS\_SYS\_SEC | 0x1000000,
                        %%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | > Table 13. File access codes. @@ -193,7 +193,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -205,7 +205,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -225,7 +225,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -251,7 +251,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -262,7 +262,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -284,7 +284,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles: , . @@ -294,9 +294,9 @@ For 5145(S, F): A network share object was checked to see whether client can be > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range. +- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range. -- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**). +- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**). - If you have critical files or folders on specific network shares, for which you need to monitor access attempts (Success and Failure), monitor for specific **Share Information\\Share Name** and **Share Information\\Relative Target Name**. diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 094f91e5f3..d8739009b8 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -17,9 +17,9 @@ ms.technology: windows-sec # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. -In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected. +In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack starts or was detected. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md) diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 3be32e2a0c..5cbafb7fe3 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -17,9 +17,9 @@ ms.technology: windows-sec # 5149(F): The DoS attack has subsided and normal processing is being resumed. -In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended. +In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack ends. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md) diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index 1e2cec8711..20bb33c8fc 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -109,7 +109,7 @@ This event is generated for every received network packet. - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet. @@ -123,7 +123,7 @@ This event is generated for every received network packet. - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet. @@ -167,20 +167,20 @@ For 5152(F): The Windows Filtering Platform blocked a packet. - If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” - Check that **Source Address** is one of the addresses assigned to the computer. -- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges). +- If the computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges). - If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**. -- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list. +- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that aren't in the allowlist. - If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”** -- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17. +- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17. - If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index 4cd691deaf..4b45c0c9cd 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -95,10 +95,10 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/ - IPv6 Address - :: - all IP addresses in IPv6 format - +s - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application. @@ -112,7 +112,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/ **Filter Information:** -- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field. +- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you'll get value **0** in this field. To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example: @@ -128,7 +128,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/ For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. -- If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information. +- If you've an “allowlist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information. - If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”** @@ -138,7 +138,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index b4626b59c1..06487ca949 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. -By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself. +By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system won't generate Event 5155 by itself. You can add your own filters using the WFP APIs to block listen to reproduce this event: . @@ -72,7 +72,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/ **Application Information**: -- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process which was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): +- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process that was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): Task manager illustration @@ -100,7 +100,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/ - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]**:** The port number used by the application. @@ -126,7 +126,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/ **Filter Information:** -- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you will get a 0 value in this field. +- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you'll get a 0 value in this field. To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**), for example: @@ -134,7 +134,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/ - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name. -- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example: +- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As a result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example: Wfpstate xml illustration diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index f19c968a01..4c668565fa 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]**:** port number from which the connection was initiated. @@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received. @@ -167,20 +167,20 @@ For 5156(S): The Windows Filtering Platform has permitted a connection. - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” - Check that “**Source Address”** is one of the addresses assigned to the computer. -- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges). +- If the computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges). - If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”** -- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list. +- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist. - If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”** -- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17. +- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17. - If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index e860f2729c..3569920d49 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection. @@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection. @@ -167,20 +167,20 @@ For 5157(F): The Windows Filtering Platform has blocked a connection. - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” - Check that “**Source Address”** is one of the addresses assigned to the computer. -- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges). +- If the\` computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges). - If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”** -- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list. +- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist. - If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”** -- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17. +- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17. - If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index f2a088807e..e2ecfbd040 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -90,7 +90,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/ **Network Information:** -- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port. +- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bound the port. - IPv4 Address @@ -100,7 +100,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/ - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]**:** port number which application was bind. @@ -126,7 +126,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/ **Filter Information:** -- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you will get value 0 in this field. +- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you'll get value 0 in this field. To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example: @@ -144,7 +144,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” @@ -152,6 +152,6 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port - If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”** -- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17. +- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 6 or 17. - If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index c66d53025f..61393ef168 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -98,7 +98,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l - 0.0.0.0 - all IP addresses in IPv4 format - - 127.0.0.1 , ::1 - localhost + - 127.0.0.1, ::1 - localhost - **Source Port** \[Type = UnicodeString\]**:** the port number used by the application. @@ -124,7 +124,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l **Filter Information:** -- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field. +- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you'll get value 0 in this field. To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example: @@ -138,4 +138,4 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. \ No newline at end of file +- There's no recommendation for this event in this document. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index 08210802e3..7b2b12b6e5 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -85,7 +85,7 @@ It typically generates when network adapter connects to new wireless network. - **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -125,16 +125,16 @@ You can see interface’s GUID using the following commands: - **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: , . -- **Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document. +- **Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document. -- **EAP Reason Code** \[Type = HexInt32\]**:** there is no information about this field in this document. See additional information here: . +- **EAP Reason Code** \[Type = HexInt32\]**:** there's no information about this field in this document. See additional information here: . -- **EAP Root Cause String** \[Type = UnicodeString\]**:** there is no information about this field in this document. +- **EAP Root Cause String** \[Type = UnicodeString\]**:** there's no information about this field in this document. -- **EAP Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document. +- **EAP Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document. ## Security Monitoring Recommendations For 5632(S, F): A request was made to authenticate to a wireless network. -- There is no recommendation for this event in this document. \ No newline at end of file +- There's no recommendation for this event in this document. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 045943bcdf..0cc09756be 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself. -It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer. +It's a routine event that shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer. This event generates every time Group Policy is applied to the computer. @@ -82,7 +82,7 @@ You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet wi For 6144(S): Security policy in the group policy objects has been applied successfully. -- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert. +- If you have a pre-defined list of Group Policy Objects that contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and if there's any difference, you must trigger an alert. - This event is mostly an informational event. diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index 17484bcaf1..3a84f0746a 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself. -This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name. +This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings can't be resolved or translated to the real account name. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -66,7 +66,7 @@ This event generates, for example, if the [SID](/windows/win32/secauthz/security ***Field Descriptions:*** -**Error Code** \[Type = UInt32\]: specific error code which shows the error which happened during Group Policy processing. You can find the meaning of specific error code here: . For example, error code 1332 means that “no mapping between account names and security IDs was done”. +**Error Code** \[Type = UInt32\]: specific error code that shows the error that happened during Group Policy processing. You can find the meaning of specific error code here: . For example, error code 1332 means that “no mapping between account names and security IDs was done”. **GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied with errors to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”. @@ -80,7 +80,7 @@ You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet wi For 6145(F): One or more errors occurred while processing security policy in the group policy objects. -- This event indicates that Group Policy Objects which were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors. +- This event indicates that Group Policy Objects that were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors. - If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure. diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index a4404d8d5d..08849399ff 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -1,6 +1,6 @@ --- -title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10) -description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid. +title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. (Windows 10) +description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,16 +14,16 @@ ms.author: dansimp ms.technology: windows-sec --- -# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. +# 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. -[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error. +This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index e8efbf0ec1..cd6d137b5a 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -19,7 +19,7 @@ ms.technology: windows-sec [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other System Events](audit-other-system-events.md) @@ -35,4 +35,4 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. \ No newline at end of file +- There's no recommendation for this event in this document. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 5f556714d7..49d868e4de 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -19,7 +19,7 @@ ms.technology: windows-sec [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other System Events](audit-other-system-events.md) @@ -37,4 +37,4 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. \ No newline at end of file +- There's no recommendation for this event in this document. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index a5d377eb0e..791511b97c 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -1,6 +1,6 @@ --- title: 6407(-) 1%. (Windows 10) -description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document. +description: Describes security event 6407(-) 1%. This event is a BranchCache event, which is outside the scope of this document. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -19,7 +19,7 @@ ms.technology: windows-sec [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other System Events](audit-other-system-events.md) @@ -35,4 +35,4 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. \ No newline at end of file +- There's no recommendation for this event in this document. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index bc2da0e57f..36e66234e1 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -1,6 +1,6 @@ --- -title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10) -description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. +title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. (Windows 10) +description: Describes security event 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -17,11 +17,11 @@ ms.technology: windows-sec # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. -[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. This event generates due to writable [shared sections](/previous-versions/windows/desktop/cc307397(v=msdn.10)) being present in a file image. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index a5df9bf707..605274b0a5 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -23,9 +23,9 @@ ms.technology: windows-sec This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer. -If you select the **Configure security** check box on the policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type. +If you select the **Configure security** check box on the policy’s property page, you can add a user or group to the global SACL. This user/group addition enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type. -If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL. +If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This SACL (of such a constitution) means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL. This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md). ## Related topics diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 3dc75d64ed..0d27bc3fda 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -23,7 +23,7 @@ ms.technology: windows-sec This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. -Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced. +Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They're stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced. Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index 643795c7e2..1a7fbfe2d2 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -1,6 +1,6 @@ --- title: Monitor claim types (Windows 10) -description: Learn how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. +description: Learn how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options. ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 ms.reviewer: ms.author: dansimp @@ -21,11 +21,11 @@ ms.technology: windows-sec # Monitor claim types -This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. +This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options. Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted. -Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic +Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. @@ -36,7 +36,7 @@ Access Control in your network, see [Deploy a Central Access Policy (Demonstrati 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**. -5. Select the **Configure the following audit events** check box, select the **Success** check box (andthe **Failure** check box, if desired), and then click **OK**. +5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored. diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index 1be153db59..c9c75a970e 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -1,6 +1,6 @@ --- title: Monitor resource attribute definitions (Windows 10) -description: Learn how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. +description: Learn how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects. ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de ms.reviewer: ms.author: dansimp @@ -21,12 +21,12 @@ ms.technology: windows-sec # Monitor resource attribute definitions -This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. +This topic for the IT professional describes how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object. For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md). -Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). +Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index a1780808e5..15c31fb0d2 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -23,7 +23,7 @@ ms.technology: windows-sec This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management. -Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). +Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you haven't yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). **To configure settings to monitor changes to central access policies** diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index 20be28d785..73427802a4 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -21,7 +21,7 @@ ms.technology: windows-sec # Monitor the resource attributes on files and folders -This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. +This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include: diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index 865b1b5aaf..759bc149b4 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -21,11 +21,11 @@ ms.technology: windows-sec # Monitor user and device claims during sign-in -This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. +This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you're using advanced security auditing options to monitor dynamic access control objects. -Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token. +Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at the sign-in stage. For example, information about Department, Company, Project, or Security clearances might be included in the token. -Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). +Use the following procedures to monitor changes to user claims and device claims in the user’s sign-in token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 4f9f9b93e8..08a07d6718 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -23,7 +23,7 @@ ms.technology: windows-sec This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. -Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. +Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you've a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements. @@ -134,7 +134,7 @@ To effectively audit user activity, begin by listing the different types of user Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data. -The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. +The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create more columns to differentiate between different types of network activity, such as sign-in hours and permission use. | Groups | Data | Possible auditing considerations | | - | - | - | @@ -187,7 +187,7 @@ By using Group Policy, you can apply your security audit policy to defined group - Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. - By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies. - For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of additional settings. To do this, you can link a second GPO to that specific lower-level OU. Then, a logon audit setting that's applied at the OU level will override a conflicting logon audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing. + For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of extra settings. To do this assignation, you can link a second GPO to that specific lower-level OU. Then, a sign-in audit setting that's applied at the OU level will override a conflicting sign-in audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing. - Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify. @@ -270,12 +270,12 @@ Compromise to an organization's data resources can cause tremendous financial lo The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers. -In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track a variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network: +In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track various user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network: -- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. +- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful sign-in attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use various credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer. -- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enable you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. -- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to log on with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious. +- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enables you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. +- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to sign in with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious. - **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. > [!NOTE] @@ -309,7 +309,7 @@ The following network activity policy settings enable you to monitor security-re - **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections. - **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network. - **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected. -- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor a variety of changes to an organization's IPsec policies. +- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor various changes to an organization's IPsec policies. - **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks. ### Confirm operating system version compatibility @@ -331,9 +331,9 @@ These settings enable you to exercise much tighter control over which activities ### *Success*, *failure*, or both -Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This is an important question. The answer depends on the criticality of the event and the implications of the decision for event volume. +Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This question is an important one. The answer depends on the criticality of the event and the implications of the decision for event volume. -For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events. +For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this access failure could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events. But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource. @@ -341,12 +341,12 @@ But if the file share has sensitive information, such as trade secrets, you may Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data. -- Will you keep event data on a local computer until an administrator logs on to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity. -- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer. +- Will you keep event data on a local computer until an administrator signs in to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity. +- Will you collect event data so that it can be reviewed from a central console? If so, there are many computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer. In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties: -- **Overwrite events as needed (oldest events first)**: This is the default option, which is acceptable in most situations. +- **Overwrite events as needed (oldest events first)**: This option is the default one, which is acceptable in most situations. - **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough. - **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. @@ -359,7 +359,7 @@ Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\ - **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. - **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained. -Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](/previous-versions/tn-archive/dd206732(v=technet.10)). +Many organizations are now required to store archived log files for many years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](/previous-versions/tn-archive/dd206732(v=technet.10)). ## Deploy the security audit policy @@ -373,4 +373,4 @@ However, unless you can run fairly realistic simulations of network usage patter - A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon** - A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings -After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete. \ No newline at end of file +After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include more OUs and sets of audit policy settings until production deployment is complete. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index 1c305a4439..7d7e21c1f3 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -25,14 +25,14 @@ Topics in this section are for IT professionals and describes the security audit ## -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. +Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you've determined to be valuable in your risk assessment. ## In this section | Topic | Description | | - | - | |[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. | -|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. | +|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently. | diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 564c7cdfe4..95aa186d93 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -1,6 +1,6 @@ --- title: Block untrusted fonts in an enterprise (Windows 10) -description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. +description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.reviewer: manager: dansimp ms.prod: m365-security @@ -19,13 +19,13 @@ ms.technology: windows-sec > Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. +To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. ## What does this mean for me? -Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on. +Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature isn't turned on. ## How does this feature work? -There are 3 ways to use this feature: +There are three ways to use this feature: - **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. @@ -37,9 +37,9 @@ There are 3 ways to use this feature: - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). ## Potential reductions in functionality -After you turn this feature on, your employees might experience reduced functionality when: +After you turn on this feature, your employees might experience reduced functionality when: -- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. +- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. - Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls). @@ -55,13 +55,13 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m **To turn on and use the Blocking Untrusted Fonts feature through Group Policy** 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. -2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**: +2. Click **Enabled** to turn on the feature, and then click one of the following **Mitigation Options**: - - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + - **Block untrusted fonts and log events.** Turns on the feature, blocking untrusted fonts and logging installation attempts to the event log. - - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + - **Do not block untrusted fonts.** Turns on the feature, but doesn't block untrusted fonts nor does it log installation attempts to the event log. - - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + - **Log events without blocking untrusted fonts**. Turns on the feature, logging installation attempts to the event log, but not blocking untrusted fonts. 3. Click **OK**. @@ -90,7 +90,7 @@ To turn this feature on, off, or to use audit mode: 5. Restart your computer. ## View the event log -After you turn this feature on, or start using Audit mode, you can look at your event logs for details. +After you turn on this feature, or start using Audit mode, you can look at your event logs for details. **To look at your event log** @@ -128,7 +128,7 @@ After you turn this feature on, or start using Audit mode, you can look at your ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. -After you figure out the problematic fonts, you can try to fix your apps in 2 ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted. +After you figure out the problematic fonts, you can try to fix your apps in two ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted. **To fix your apps by installing the problematic fonts (recommended)** @@ -138,7 +138,7 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa 1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

                        For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. +2. Add other processes that need to be excluded here, and then turn on the Blocking untrusted fonts feature, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. ## Related content diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 4a0981cf1f..90770727f0 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -23,8 +23,8 @@ ms.technology: windows-sec This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11. Some applications, including device drivers, may be incompatible with HVCI. -This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. -If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. +This incompatibility can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. +If these issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. > [!NOTE] > Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. @@ -60,7 +60,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI can't be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) @@ -70,7 +70,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup ### Use registry keys to enable virtualization-based protection of code integrity -Set the following registry keys to enable HVCI. This provides exactly the same set of configuration options provided by Group Policy. +Set the following registry keys to enable HVCI. These keys provide exactly the same set of configuration options provided by Group Policy. @@ -208,7 +208,7 @@ Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windo > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. -The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. +The output of this command provides details of the available hardware-based security features and those features that are currently enabled. #### AvailableSecurityProperties @@ -223,7 +223,7 @@ Value | Description **4.** | If present, Secure Memory Overwrite is available. **5.** | If present, NX protections are available. **6.** | If present, SMM mitigations are available. -**7.** | If present, Mode Based Execution Control is available. +**7.** | If present, MBEC/GMET is available. **8.** | If present, APIC virtualization is available. #### InstanceIdentifier @@ -243,7 +243,7 @@ Value | Description **4.** | If present, Secure Memory Overwrite is needed. **5.** | If present, NX protections are needed. **6.** | If present, SMM mitigations are needed. -**7.** | If present, Mode Based Execution Control is needed. +**7.** | If present, MBEC/GMET is needed. #### SecurityServicesConfigured @@ -251,7 +251,7 @@ This field indicates whether the Windows Defender Credential Guard or HVCI servi Value | Description -|- -**0.** | No services configured. +**0.** | No services are configured. **1.** | If present, Windows Defender Credential Guard is configured. **2.** | If present, HVCI is configured. **3.** | If present, System Guard Secure Launch is configured. @@ -279,7 +279,7 @@ This field indicates whether VBS is enabled and running. Value | Description -|- -**0.** | VBS is not enabled. +**0.** | VBS isn't enabled. **1.** | VBS is enabled but not running. **2.** | VBS is enabled and running. @@ -295,7 +295,7 @@ Another method to determine the available and enabled Windows Defender Device Gu A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. -B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. +B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you're able to sign in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. @@ -315,7 +315,7 @@ C. If you experience a critical error during boot or your system is unstable aft HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Application Control are the same from within the virtual machine. -WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine: +WDAC protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable WDAC for a virtual machine: ```powershell Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true @@ -324,6 +324,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the HyperV role on the virtual machine, you must first install the HyperV role in a Windows nested virtualization environment. -- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. -- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment. +- Virtual Fibre Channel adapters aren't compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 82d351a624..7e6029430c 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,9 +1,7 @@ --- -title: Windows Defender Application Control and virtualization-based code integrity (Windows 10) +title: Windows Defender Application Control and virtualization-based code integrity description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC). -keywords: virtualization, security, malware, device guard ms.prod: m365-security -ms.mktglfcycl: deploy ms.localizationpriority: medium author: denisebmsft ms.author: deniseb @@ -28,12 +26,12 @@ Using Windows Defender Application Control to restrict devices to only authorize 1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows. -3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization’s digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy. +3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization's digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy. 4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important because an attacker that compromises the kernel could normally disable most system defenses, including those enforced by WDAC or any other application control solution. ## Why we no longer use the Device Guard brand -When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. This misled many people to assume that if systems couldn't use HVCI, they couldn’t use WDAC either. +When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. This misled many people to assume that if systems couldn't use HVCI, they couldn't use WDAC either. WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion. @@ -43,6 +41,5 @@ We hope this change will help us better communicate options for adopting applica ## Related articles - [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) -- [Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336) -- [Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10) +- [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) - [Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index bec34fe509..7a99baa345 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy @@ -16,12 +16,12 @@ ms.author: dansimp ms.technology: windows-sec --- -# Baseline protections and additional qualifications for virtualization-based protection of code integrity +# Baseline protections and other qualifications for virtualization-based protection of code integrity **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. @@ -38,42 +38,42 @@ The following tables provide more information about the hardware, firmware, and |Baseline Protections | Description | Security benefits | |--------------------------------|----------------------------------------------------|-------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | -| Hardware: **CPU virtualization extensions**,
                        plus **extended page tables** | These hardware features are required for VBS:
                        One of the following virtualization extensions:
                        • VT-x (Intel) or
                        • AMD-V
                        And:
                        • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Hardware: **CPU virtualization extensions**,
                        plus **extended page tables** | These hardware features are required for VBS:
                        One of the following virtualization extensions:
                        • VT-x (Intel) or
                        • AMD-V
                        And:
                        • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | +| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                        Important:
                        Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                        | Support for VBS and for management features. | > **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. -## Additional qualifications for improved security +## Other qualifications for improved security -The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met. +The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met. -### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 +### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| -| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
                        • In the BIOS configuration, BIOS authentication must be set.
                        • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
                        • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
                        • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
                        • In the BIOS configuration, BIOS authentication must be set.
                        • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
                        • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.
                        • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
                        -### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 +### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016 | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
                        • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
                        • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
                        • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
                        • HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
                        • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
                        • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
                        • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
                        • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
                        -### Additional security qualifications starting with Windows 10, version 1703 +### More security qualifications starting with Windows 10, version 1703 | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                        • UEFI runtime service must meet these requirements:
                            • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                            • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                            • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                                • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                                • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                        Notes:
                        • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                        • This protection is applied by VBS on OS page tables.


                        Please also note the following:
                        • Do not use sections that are both writeable and executable
                        • Do not attempt to directly modify executable system memory
                        • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                        • Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                        • Reduces the attack surface to VBS from system firmware.
                        • Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                        • UEFI runtime service must meet these requirements:
                            • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                            • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                            • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                                • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                                • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                        Notes:
                        • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                        • This protection is applied by VBS on OS page tables.


                        Also note the following guidelines:
                        • Don't use sections that are both writeable and executable
                        • Don't attempt to directly modify executable system memory
                        • Don't use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                        • Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                        • Reduces the attack surface to VBS from system firmware.
                        • Blocks other security attacks against SMM. | diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 2159488c70..156cb74287 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -1,6 +1,6 @@ --- title: Get support -description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization. +description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT). ms.prod: m365-security ms.localizationpriority: medium ms.author: dansimp @@ -15,87 +15,69 @@ ms.technology: windows-sec # Get Support for Windows baselines -**What is the Microsoft Security Compliance Manager (SCM)?** +## Frequently asked questions -The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. +### What is the Microsoft Security Compliance Manager (SCM)? -More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). +The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. -**Where can I get an older version of a Windows baseline?** +For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). -Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT. +### Where can I get an older version of a Windows baseline? -- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10)) -- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) -- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) -- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) +Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix). -**What file formats are supported by the new SCT?** +- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353) +- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) +- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) +- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) -The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported. +### What file formats are supported by the new SCT? -**Does SCT support Desired State Configuration (DSC) file format?** +The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported. -Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. +### Does SCT support the Desired State Configuration (DSC) file format? -**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?** +Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features. -No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). +### Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs? -**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?** +No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement). -No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support. +### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies? -
                        +No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support. -## Version Matrix +## Version matrix -**Client Versions** +### Client versions -| Name | Build | Baseline Release Date | Security Tools | +| Name | Build | Baseline release date | Security tools | |---|---|---|---| -|Windows 10 | [1709 (RS3)](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft)

                        [1703 (RS2)](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final)

                        [1607 (RS1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)

                        [1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final)

                        [1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017

                        August 2017

                        October 2016

                        January 2016

                        January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -Windows 8 |[9200](/previous-versions/tn-archive/jj916413(v=technet.10)) |October 2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))| -Windows 7 |[7601 (SP1)](/previous-versions/tn-archive/ee712767(v=technet.10))| October 2009| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Vista |[6002 (SP2)](/previous-versions/tn-archive/dd450978(v=technet.10))| January 2007| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Windows XP |[2600 (SP3)](/previous-versions/tn-archive/cc163061(v=technet.10))| October 2001| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))| +| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft)

                        [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final)

                        [Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)

                        [1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final)

                        [1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017

                        August 2017

                        October 2016

                        January 2016

                        January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -
                        +### Server versions -**Server Versions** - -| Name | Build | Baseline Release Date | Security Tools | +| Name | Build | Baseline release date | Security tools | |---|---|---|---| |Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | |Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)| -|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -Windows Server 2008 R2 |[SP1](/previous-versions/tn-archive/gg236605(v=technet.10))|2009 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Windows Server 2008 |[SP2](/previous-versions/tn-archive/cc514539(v=technet.10))| 2008 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -|Windows Server 2003 R2|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))| 2003 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))| -|Windows Server 2003|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))|2003|[SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))| +|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -
                        +### Microsoft products -**Microsoft Products** - - -| Name | Details | Security Tools | -|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------| -| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Internet Explorer 10 | [Technet](/previous-versions/tn-archive/jj898540(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Internet Explorer 9 | [Technet](/previous-versions/tn-archive/hh539027(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Internet Explorer 8 | [Technet](/previous-versions/tn-archive/ee712766(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | -| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) | - -
                        +| Name | Details | Security tools | +|--|--|--| +| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | +| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | +| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | +| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | > [!NOTE] -> Browser baselines are built-in to new OS versions starting with Windows 10 +> Browser baselines are built-in to new OS versions starting with Windows 10. ## See also -[Windows security baselines](windows-security-baselines.md) \ No newline at end of file +[Windows security baselines](windows-security-baselines.md) diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index c8fafe64a7..b38ebe2069 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -12,9 +12,9 @@ ms.technology: windows-sec # What is Microsoft Baseline Security Analyzer and its uses? -Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. +Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. -MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. +MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016. > [!NOTE] > In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. @@ -31,7 +31,7 @@ For example: [![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. -The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. +The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers. ## More Information diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 99819da4d5..d9221e9bca 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,10 +8,10 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/10/2022 +ms.date: 08/22/2022 ms.reviewer: manager: dansimp -ms.custom: asr +ms.custom: sasr ms.technology: windows-sec --- @@ -30,14 +30,17 @@ Application Guard uses both network isolation and application-specific settings. These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. +> [!NOTE] +> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode. + > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy. |Policy name|Supported versions|Description| |-----------|------------------|-----------| |Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.

                        Note that this list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.

                        Note that this list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.

                        This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.

                        This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| ## Network isolation settings wildcards @@ -53,19 +56,18 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
                        - Disable the clipboard functionality completely when Virtualization Security is enabled.
                        - Enable copying of certain content from Application Guard into Microsoft Edge.
                        - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

                        **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
                        - Enable Application Guard to print into the XPS format.
                        - Enable Application Guard to print into the PDF format.
                        - Enable Application Guard to print to locally attached printers.
                        - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

                        **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

                        Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

                        **NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

                        **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                        **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                        **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

                        **To reset the container:**
                        1. Open a command-line program and navigate to `Windows/System32`.
                        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
                        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

                        Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
                        - Enable Microsoft Defender Application Guard only for Microsoft Edge
                        - Enable Microsoft Defender Application Guard only for Microsoft Office
                        - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

                        **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

                        Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

                        **Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

                        **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

                        Windows 10 Pro, 1809 or higher

                        Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

                        **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

                        Windows 10 Pro, 1809 or higher

                        Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

                        **Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

                        Windows 10 Pro, 1809 or higher

                        Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

                        **Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:
                        - Disable the clipboard functionality completely when Virtualization Security is enabled.
                        - Enable copying of certain content from Application Guard into Microsoft Edge.
                        - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

                        **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:
                        - Enable Application Guard to print into the XPS format.
                        - Enable Application Guard to print into the PDF format.
                        - Enable Application Guard to print to locally attached printers.
                        - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

                        **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                        **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                        **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

                        **To reset the container:**
                        1. Open a command-line program and navigate to `Windows/System32`.
                        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
                        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

                        Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
                        - Enable Microsoft Defender Application Guard only for Microsoft Edge
                        - Enable Microsoft Defender Application Guard only for Microsoft Office
                        - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

                        **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

                        **Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

                        Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

                        **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

                        Windows 10 Pro, 1803 or higher

                        Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

                        **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

                        Windows 10 Pro, 1809 or higher

                        Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

                        **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

                        Windows 10 Pro, 1809 or higher

                        Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

                        **Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

                        Windows 10 Pro, 1809 or higher

                        Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

                        **Disabled or not configured.** Event logs aren't collected from your Application Guard container.| ## Application Guard support dialog settings -These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you are presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it is possible to provide additional information in the dialog box. +These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box. [Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information). diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index b641427ea4..603c2014c5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -41,16 +41,16 @@ sections: answer: | The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. - To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.” - It must be an FQDN. A simple IP address won't work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? answer: | - Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. + Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune. - question: | Which Input Method Editors (IME) in 19H1 aren't supported? @@ -73,19 +73,19 @@ sections: - question: | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? answer: | - This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + This feature is currently experimental only and isn't functional without an extra registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - question: | What is the WDAGUtilityAccount local account? answer: | - WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error: + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error: **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - question: | How do I trust a subdomain in my site list? answer: | - To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. + To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted. - question: | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? @@ -128,7 +128,7 @@ sections: - question: | Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? answer: | - This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: + This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) @@ -143,7 +143,7 @@ sections: - Port 67 ### Second rule (DHCP Client) - This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: + This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: 1. Right-click on inbound rules, and then create a new rule. @@ -169,19 +169,19 @@ sections: 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - question: | - How can I disable portions of ICS without breaking Application Guard? + How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard? answer: | - ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 2. Disable IpNat.sys from ICS load as follows:
                        `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - 3. Configure ICS (SharedAccess) to enabled as follows:
                        + 3. Configure ICS (SharedAccess) to be enabled as follows:
                        `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - 4. (This is optional) Disable IPNAT as follows:
                        + 4. (This step is optional) Disable IPNAT as follows:
                        `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` 5. Reboot the device. @@ -210,9 +210,9 @@ sections: - `{71a27cdd-812a-11d0-bec7-08002be2092f}` - question: | - I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this? + I'm encountering TCP fragmentation issues, and can't enable my VPN connection. How do I fix this issue? answer: | - WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: + WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this solution has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index d91da6e81c..92960da468 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/20/2021 +ms.date: 08/25/2022 ms.reviewer: manager: dansimp ms.custom: asr @@ -19,8 +19,8 @@ ms.technology: windows-sec **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 Education, Enterprise, and Professional +- Windows 11 Education, Enterprise, and Professional The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -31,13 +31,16 @@ The threat landscape is continually evolving. While hackers are busy developing Your environment must have the following hardware to run Microsoft Defender Application Guard. +> [!NOTE] +> Application Guard currently isn't supported on Windows 11 ARM64 devices. + | Hardware | Description | |--------|-----------| -| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| | CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

                        **AND**

                        One of the following virtualization extensions for VBS:
                        VT-x (Intel)
                        **OR**
                        AMD-V | -| Hardware memory | Microsoft requires a minimum of 8GB RAM | -| Hard disk | 5 GB free space, solid state disk (SSD) recommended | -| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended | +| Hardware memory | Microsoft requires a minimum of 8-GB RAM | +| Hard disk | 5-GB free space, solid state disk (SSD) recommended | +| Input/Output Memory Management Unit (IOMMU) support| Not required, but recommended | ## Software requirements @@ -45,6 +48,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
                        Windows 10 Professional edition, version 1809 or higher
                        Windows 10 Professional for Workstations edition, version 1809 or higher
                        Windows 10 Professional Education edition, version 1809 or higher
                        Windows 10 Education edition, version 1809 or higher
                        Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
                        Windows 11 | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
                        Windows 10 Professional edition, version 1809 or higher
                        Windows 10 Professional for Workstations edition, version 1809 or higher
                        Windows 10 Professional Education edition, version 1809 or higher
                        Windows 10 Education edition, version 1809 or higher
                        Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
                        Windows 11 Education, Enterprise, and Professional | | Browser | Microsoft Edge | | Management system
                        (only for managed devices)| [Microsoft Intune](/intune/)

                        **OR**

                        [Microsoft Endpoint Configuration Manager](/configmgr/)

                        **OR**

                        [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

                        **OR**

                        Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 60dacaca16..3f1a94a7ad 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -1,13 +1,9 @@ --- -title: Microsoft Defender SmartScreen overview (Windows) +title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security author: mjcaparas ms.author: macapara -audience: ITPro ms.localizationpriority: high ms.reviewer: manager: dansimp @@ -19,7 +15,7 @@ adobe-target: true **Applies to:** -- Windows 10 +- Windows 10 - Windows 11 - Microsoft Edge @@ -41,15 +37,15 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are: -- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) +- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/). -- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. +- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run. - **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. -- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). +- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). - **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). @@ -58,7 +54,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites ## Submit files to Microsoft Defender SmartScreen for review -If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](../intelligence/submission-guide.md). +If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide). When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. @@ -72,6 +68,7 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). ## Viewing Windows event logs for Microsoft Defender SmartScreen + Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer. Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: @@ -83,15 +80,14 @@ wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true > [!NOTE] > For information on how to use the Event Viewer, see [Windows Event Viewer](/host-integration-server/core/windows-event-viewer1). - | EventID | Description | |---|---| | 1000 | Application Windows Defender SmartScreen Event | | 1001 | Uri Windows Defender SmartScreen Event | | 1002 | User Decision Windows Defender SmartScreen Event | -## Related topics -- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) -- [Threat protection](../index.md) -- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) -- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference) \ No newline at end of file +## Related articles + +- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) +- [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md) +- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference) diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md index 9be071fa44..e6403fafa5 100644 --- a/windows/security/threat-protection/msft-security-dev-lifecycle.md +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -1,6 +1,6 @@ --- title: Microsoft Security Development Lifecycle -description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. +description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development. ms.prod: m365-security author: dansimp ms.author: dansimp @@ -18,7 +18,7 @@ The Security Development Lifecycle (SDL) is a security assurance process that is [:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) -Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. +With the help of the combination of a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. The Microsoft SDL is based on three core concepts: - Education diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 681a9ae413..c19f67e476 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -22,14 +22,14 @@ Windows 10 includes Group Policy-configurable “Process Mitigation Options” t > [!IMPORTANT] > We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization’s required apps. -The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are: +The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are: - **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). - **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). - To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`. + To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`. The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 436d94ab00..d9a47da3b6 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -21,7 +21,7 @@ This topic provides an overview of some of the software and firmware threats fac |--------------|-------------------------| | [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | -| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | +| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they're built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | | [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://www.microsoft.com/download/details.aspx?id=48240) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: @@ -58,9 +58,9 @@ Windows 10 mitigations that you can configure are listed in the following two ta | **Credential Guard**
                        helps keep attackers
                        from gaining access through
                        Pass-the-Hash or
                        Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
                        Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

                        **More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) | | **Enterprise certificate pinning**
                        helps prevent
                        man-in-the-middle attacks
                        that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

                        **More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | | **Device Guard**
                        helps keep a device
                        from running malware or
                        other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
                        Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

                        **More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | -| **Microsoft Defender Antivirus**,
                        which helps keep devices
                        free of viruses and other
                        malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved to a considerable extent since it was introduced in Windows 8.

                        **More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic | +| **Microsoft Defender Antivirus**,
                        which helps keep devices
                        free of viruses and other
                        malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.

                        **More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic | | **Blocking of untrusted fonts**
                        helps prevent fonts
                        from being used in
                        elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

                        **More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | -| **Memory protections**
                        help prevent malware
                        from using memory manipulation
                        techniques such as buffer
                        overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
                        A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

                        **More information**: [Table 2](#table-2), later in this topic | +| **Memory protections**
                        help prevent malware
                        from using memory manipulation
                        techniques such as buffer
                        overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
                        A subset of apps won't be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

                        **More information**: [Table 2](#table-2), later in this topic | | **UEFI Secure Boot**
                        helps protect
                        the platform from
                        boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

                        **More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | | **Early Launch Antimalware (ELAM)**
                        helps protect
                        the platform from
                        rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the anti-malware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

                        **More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) | | **Device Health Attestation**
                        helps prevent
                        compromised devices from
                        accessing an organization's
                        assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

                        **More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](/windows-server/security/device-health-attestation) | @@ -73,8 +73,8 @@ As an IT professional, you can ask application developers and software vendors t | Mitigation and corresponding threat | Description | |---|---| -| **Data Execution Prevention (DEP)**
                        helps prevent
                        exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
                        DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, most applications do not.
                        **More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

                        **Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure more DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | -| **SEHOP**
                        helps prevent
                        overwrites of the
                        Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
                        **More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

                        **Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure more SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **Data Execution Prevention (DEP)**
                        helps prevent
                        exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
                        DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, most applications don't.
                        **More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

                        **Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure more DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **SEHOP**
                        helps prevent
                        overwrites of the
                        Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
                        **More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

                        **Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure more SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | | **ASLR**
                        helps mitigate malware
                        attacks based on
                        expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This loading - of specific DLLs -helps mitigate malware that's designed to attack specific memory locations.
                        **More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.

                        **Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure more ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | ### Windows Defender SmartScreen @@ -147,7 +147,7 @@ You can use Control Panel to view or change DEP settings. - **Turn on DEP for essential Windows programs and services only** - - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP won't be turned on. #### To use Group Policy to control DEP settings @@ -155,7 +155,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ### Structured Exception Handling Overwrite Protection -Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they've been compiled with the latest improvements. You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). @@ -163,7 +163,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could overwrite it in well-known and predictable locations. -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. +Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it's more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. :::image type="content" alt-text="ASLR at work." source="images/security-fig4-aslr.png" lightbox="images/security-fig4-aslr.png"::: @@ -175,9 +175,9 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ## Mitigations that are built in to Windows 10 -Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. +Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The subsequent table describes some of these mitigations. -Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require an application developer to configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. +Control Flow Guard (CFG) is a mitigation that doesn't need configuration within the operating system, but does require an application developer to configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they're compiled. ### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed @@ -188,7 +188,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within | **Universal Windows apps protections**
                        screen downloadable
                        apps and run them in
                        an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

                        **More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | | **Heap protections**
                        help prevent
                        exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures that help protect against corruption of memory used by the heap.

                        **More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Kernel pool protections**
                        help prevent
                        exploitation of pool memory
                        used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

                        **More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | -| **Control Flow Guard**
                        helps mitigate exploits
                        based on
                        flow between code locations
                        in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
                        For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this attempt occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

                        **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Control Flow Guard**
                        helps mitigate exploits
                        based on
                        flow between code locations
                        in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It's built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
                        For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this attempt occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

                        **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | | **Protections built into Microsoft Edge** (the browser)
                        helps mitigate multiple
                        threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

                        **More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | ### SMB hardening improvements for SYSVOL and NETLOGON shares @@ -206,7 +206,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti ### Universal Windows apps protections -When users download Universal Windows apps from the Microsoft Store, it's unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. +When users download Universal Windows apps from the Microsoft Store, it's unlikely that they'll encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. @@ -226,7 +226,7 @@ Windows 10 has several important improvements to the security of the heap: ### Kernel pool protections -The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one that can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. +The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory ("nonpaged pool") and one that can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. In addition to pool hardening, Windows 10 includes other kernel hardening features: @@ -240,23 +240,23 @@ In addition to pool hardening, Windows 10 includes other kernel hardening featur - **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination. -- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This allocation for the system makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps aren't allowed to allocate that portion of the memory. This allocation for the system makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. ### Control Flow Guard -When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls the other code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs. +When applications are loaded into memory, they're allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls the other code located in other memory addresses. The relationships between the code locations are well known—they're written in the code itself—but previous to Windows 10, the flow between these locations wasn't enforced, which gave attackers the opportunity to change the flow to meet their needs. -This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. +This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location isn't trusted, the application is immediately terminated as a potential security risk. -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](/windows/win32/secbp/control-flow-guard). +An administrator can't configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](/windows/win32/secbp/control-flow-guard). Browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. ### Microsoft Edge and Internet Explorer 11 -Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. +Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users can't perform at least part of their job without a browser, and many users are reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. -All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. +All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples are Flash and Java extensions that enable their respective applications to run inside a browser. The security of Windows 10 for the purposes of web browsing and applications, especially for these two content types, is a priority. Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: @@ -270,13 +270,13 @@ Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is m - **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, making it more secure by default. -In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. You cannot configure it as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. +In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that don't work with Microsoft Edge. You can't configure it as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. For sites that require IE11 compatibility, including those sites that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. ### Functions that software vendors can use to build mitigations into apps -Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. +Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you're working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. > [!NOTE] > Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic. @@ -297,7 +297,7 @@ Some of the protections available in Windows 10 are provided through functions t ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit -You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore haven't been brought into Windows 10. Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly the ones assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)). @@ -310,7 +310,7 @@ The following table lists EMET features in relation to Windows 10 features. |

                      • DEP
                      • SEHOP
                      • ASLR (Force ASLR, Bottom-up ASLR)|DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See [Table 2](#table-2), earlier in this topic.You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.| |
                      • Load Library Check (LoadLib)
                      • Memory Protection Check (MemProt)|LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See [Table 4](#functions-that-software-vendors-can-use-to-build-mitigations-into-apps), earlier in this topic.| |Null Page|Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in [Kernel pool protections](#kernel-pool-protections), earlier in this topic.| -|
                      • Heap Spray
                      • EAF
                      • EAF+|Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.| +|
                      • Heap Spray
                      • EAF
                      • EAF+|Windows 10 doesn't include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and don't significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.| |
                      • Caller Check
                      • Simulate Execution Flow
                      • Stack Pivot
                      • Deep Hooks (an ROP "Advanced Mitigation")
                      • Anti Detours (an ROP "Advanced Mitigation")
                      • Banned Functions (an ROP "Advanced Mitigation")|Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in [Control Flow Guard](#control-flow-guard), earlier in this topic.| ### Converting an EMET XML settings file into Windows 10 mitigation policies diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index ed70e30816..36714ba7df 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -35,7 +35,7 @@ Windows 10 is an important component of an end-to-end security solution that foc ## Description of a robust end-to-end security solution -Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries. +Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there's no doubt that malware now targets both consumers and professionals in all industries. During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary. @@ -61,7 +61,7 @@ The following figure shows a solution built to assess device health from the clo Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. -Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems. +Secure Boot is a firmware validation process that helps prevent rootkit attacks; it's part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems. A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel. @@ -118,7 +118,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. - A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: + A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other: - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. @@ -149,15 +149,15 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program. Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). - Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. + Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity didn't compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. > [!NOTE] > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over. - **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration. - Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. - Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. + Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) can't be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. + Secure Boot configuration policy does this protective action with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr. @@ -165,7 +165,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik - **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. - Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. + Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. @@ -174,8 +174,8 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. - The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). -- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10. + The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). +- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10. Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtual) section. @@ -183,7 +183,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. - HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. + HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified. > [!NOTE] > Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=691612) blog post. @@ -199,7 +199,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik - **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health. - Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. + Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset. For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](/previous-versions/windows/hardware/design/dn653311(v=vs.85)). @@ -217,7 +217,7 @@ The following Windows 10 services are protected with virtualization-based securi - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory - **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. -- **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. +- **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. > [!NOTE] > Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. @@ -234,18 +234,18 @@ remote machines, which mitigates many PtH-style attacks. Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key: -- **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key. +- **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key. - **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key. Credential Guard is activated by a registry key and then enabled by using a UEFI variable. This activation is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins. ### Device Guard -Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization. +Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those applications that are trusted by the organization. The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. -Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed. +Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10, kernel-mode drivers must be digitally signed. > [!NOTE] > Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](https://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate. @@ -264,7 +264,7 @@ Device Guard needs to be planned and configured to be truly effective. It isn't There are three different parts that make up the Device Guard solution in Windows 10: - The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start. -- After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. +- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. - The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs). For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -280,9 +280,9 @@ SAWs are computers that are built to help significantly reduce the risk of compr To protect high-value assets, SAWs are used to make secure connections to those assets. -Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. +Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. -It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. +It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device. @@ -291,7 +291,7 @@ Before you can benefit from the protection included in Device Guard, Code Integr Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard. -When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the +When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable that offers tampering protection. The only way to update the Device Guard policy later is to provide a new version of the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner section. ### The importance of signing applications @@ -301,13 +301,13 @@ On computers with Device Guard, Microsoft proposes to move from a world where un With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed. -In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed. +In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for various reasons, like the lack of code signing expertise. Even if code signing is a best practice, many internal applications aren't signed. -Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications. +Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create more signatures that can be distributed along with existing applications. ### Why are antimalware and device management solutions still necessary? -Although allow-list mechanisms are efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities. +Although allowlist mechanisms are efficient at ensuring that only trusted applications can be run, they can't prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities. Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge. @@ -321,7 +321,7 @@ MDM solutions are becoming prevalent as a light-weight device management technol ### Device health attestation -Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. +Device health attestation uses the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. @@ -335,21 +335,21 @@ The following table details the hardware requirements for both virtualization-ba |--- |--- | |UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.

                        UEFI Secure Boot ensures that the device boots only authorized code.

                        Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”| |Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.

                        **Note:** Device Guard can be enabled without using virtualization-based security.
                        | -|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).

                        Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.| +|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).

                        Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.| |IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.| -|Trusted Platform Module (TPM)|Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| +|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| -This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. +This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. ## Detect an unhealthy Windows 10-based device -As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. +As of today, many organizations only consider devices to be compliant with company policy after they’ve passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. -As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. +As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because health attestation uses the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. -By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. +After the devices attest a trusted boot state, they can prove that they aren't running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. ### What is the concept of device health? @@ -359,7 +359,7 @@ However, the use of traditional malware prevention technologies like antimalware The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy. -The health of the device isn't binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM. +The health of the device isn't binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by using trustworthy hardware TPM. But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision. @@ -367,7 +367,7 @@ But health attestation only provides information, which is why an MDM solution i In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft. -This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. +This approach is the most secure one available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs' values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. A relying party like an MDM can inspect the report generated by the remote health attestation service. @@ -378,7 +378,7 @@ Windows 10 supports health attestation scenarios by allowing applications access Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system. -In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. +In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. This reason is what makes it important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component. @@ -386,7 +386,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R :::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png"::: -When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. +When you start a device equipped with TPM, a measurement of different components is performed. These components include firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. :::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png"::: @@ -398,7 +398,7 @@ The health attestation process works as follows: 4. Windows kernel is measured. 5. Antivirus software is started as the first kernel mode driver. 6. Boot start drivers are measured. -7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP. +7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP. 8. Boot measurements are validated by the Health Attestation Service > [!NOTE] @@ -432,7 +432,7 @@ In a simplified manner, the TPM is a passive component with limited resources. I A TPM incorporates in a single component: -- A RSA 2048-bit key generator +- An RSA 2048-bit key generator - A random number generator - Nonvolatile memory for storing EK, SRK, and AIK keys - A cryptographic engine to encrypt, decrypt, and sign @@ -442,7 +442,7 @@ A TPM incorporates in a single component: The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). -The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. +The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)). @@ -467,16 +467,16 @@ Because the endorsement certificate is unique for each device and doesn't change The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft +Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. -Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. +Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. These certificates aren't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. -In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that isn't backed by an endorsement certificate. +In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that isn't backed by an endorsement certificate. ### Storage root key -The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. +The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken. ### Platform Configuration Registers @@ -484,19 +484,19 @@ The TPM contains a set of registers that are designed to provide a cryptographic The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware. -PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured. +PCRs are set to zero when the platform is booted, and it's the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This component is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured. -The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log hasn't been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log. +The value of a PCR on its own is hard to interpret (it's just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log hasn't been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log. ### TPM provisioning -For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. +For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement** During the provisioning process, the device may need to be restarted. -Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM. +The **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM. If the TPM ownership isn't known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** @@ -510,16 +510,16 @@ As part of the provisioning process, Windows 10 will create an AIK with the TPM. Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on. -The following is a list of functions performed by the Windows 10 Health Attestation CSP: +The following list is that of the functions performed by the Windows 10 Health Attestation CSP: - Collects data that is used to verify a device’s health status - Forwards the data to the Health Attestation Service - Provisions the Health Attestation Certificate that it receives from the Health Attestation Service - Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification -During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service. +During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service. -When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it. +When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device didn't reboot between the time that it attested its health and the time that the MDM server validated it. ### Windows Health Attestation Service @@ -530,8 +530,8 @@ The role of Windows Health Attestation Service is essentially to evaluate a set Checking that a TPM attestation and the associated log are valid takes several steps: -1. First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked. -2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**. +1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked. +2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**. 3. Next the logs should be checked to ensure that they match the PCR values reported. 4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource. @@ -554,15 +554,15 @@ The following table presents some key items that can be reported back to MDM dep |--- |--- | |Windows 10 for desktop editions|

                      • PCR0 measurement
                      • Secure Boot Enabled
                      • Secure Boot db matches Expected
                      • Secure Boot dbx is up to date
                      • Secure Boot policy GUID matches Expected
                      • BitLocker enabled
                      • Virtualization-based security enabled
                      • ELAM was loaded
                      • Code Integrity version is up to date
                      • Code Integrity policy hash matches Expected| -### Leverage MDM and the Health Attestation Service +### Use MDM and the Health Attestation Service To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements. -A solution that leverages MDM and the Health Attestation Service consists of three main parts: +A solution that uses MDM and the Health Attestation Service consists of three main parts: -1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default). -2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. -3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. +1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default). +2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. +3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png"::: @@ -587,14 +587,14 @@ Interaction between a Windows 10-based device, the Health Attestation Service, a > [!NOTE] > The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns. -Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution. +Setting the requirements for device compliance is the first step to ensure that registered devices that don't meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution. Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. -That is the purpose of conditional access control, which is detailed in the next section. +That consequence for an unhealthy device is the purpose of conditional access control, which is detailed in the next section. ## Control the security of a Windows 10-based device before access is granted -Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? +Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know little about. Perhaps there's some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune. @@ -605,18 +605,18 @@ The figure below shows how the Health Attestation Service is expected to work wi :::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png"::: -An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the +An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources. ### Built-in support of MDM in Windows 10 -Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent. +Windows 10 has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows 10-based devices without requiring a separate agent. ### Third-party MDM server support -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). > [!NOTE] > MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](/windows/client-management/mdm/). @@ -625,7 +625,7 @@ The third-party MDM server will have the same consistent first-party user experi ### Management of Windows Defender by third-party MDM -This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. +This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10). @@ -641,10 +641,10 @@ If the device isn't registered, the user will get a message with instructions on ### Office 365 conditional access control -Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional +Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more target groups. -When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services. +When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services. When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune. @@ -676,9 +676,9 @@ To get to a compliant state, the Windows 10-based device needs to: ### Cloud and on-premises apps conditional access control -Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access. +Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access. -IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access. +IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access. For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](/azure/active-directory/authentication/tutorial-enable-azure-mfa) @@ -694,14 +694,14 @@ For on-premises applications there are two options to enable conditional access The following process describes how Azure AD conditional access works: -1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD. +1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD. 2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service. 3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any). 4. User logs on and the MDM agent contacts the Intune/MDM server. 5. MDM server pushes down new policies if available and queries health blob state and other inventory state. 6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server. 7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated. -8. Health Attestation Service validates that the device which sent the health attestation blob is healthy, and returns this result to Intune/MDM server. +8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server. 9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device. 10. Intune/MDM server updates compliance state against device object in Azure AD. 11. User opens app, attempts to access a corporate managed asset. @@ -711,11 +711,11 @@ The following process describes how Azure AD conditional access works: For more information about Azure AD join, see [Azure AD & Windows 10: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper. -Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. +Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. ## Takeaways and summary -The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices. +The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices. - **Understand that no solution is 100 percent secure** @@ -735,7 +735,7 @@ The following list contains high-level key take-aways to improve the security po - **Sign Device Guard policy** - Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy. + Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy. - **Use virtualization-based security** @@ -751,11 +751,11 @@ The following list contains high-level key take-aways to improve the security po - **Use AppLocker when it makes sense** - Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users. + Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users. - **Lock down firmware and configuration** - After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. + After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index da17209420..1948922041 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). +The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by many network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). Users, devices, and service accounts gain or lose the **Access this computer from network** user right by being explicitly or implicitly added or removed from a security group that has been granted this user right. For example, a user account or a machine account may be explicitly added to a custom security group or a built-in security group, or it may be implicitly added by Windows to a computed security group such as Domain Users, Authenticated Users, or Enterprise Domain Controllers. By default, user accounts and machine accounts are granted the **Access this computer from network** user right when computed groups such as Authenticated Users, and for domain controllers, the Enterprise Domain Controllers group, are defined in the default domain controllers Group Policy Object (GPO). @@ -47,7 +47,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. - On failover clusters, make sure this right is granted to authenticated users. -- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. +- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you've verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -68,13 +68,13 @@ The following table lists the actual and effective default policy values for the ## Policy management -When modifying this user right, the following actions might cause users and services to experience network access issues: +When you modify this user right, the following actions might cause users and services to experience network access issues: - Removing the Enterprise Domain Controllers security group - Removing the Authenticated Users group or an explicit group that allows users, computers, and service accounts the user right to connect to computers over the network - Removing all user and machine accounts -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -95,20 +95,20 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can connect from their device to the network can access resources on target devices for which they have permission. For example, the **Access this computer from the network** user right is required for users to connect to shared printers and folders. If this user right is assigned to the **Everyone** group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 do not include the **Everyone** group. However, if a device is upgraded and the original device includes the **Everyone** group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device. +Users who can connect from their device to the network can access resources on target devices for which they have permission. For example, the **Access this computer from the network** user right is required for users to connect to shared printers and folders. If this user right is assigned to the **Everyone** group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 don't include the **Everyone** group. However, if a device is upgraded and the original device includes the **Everyone** group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device. ### Countermeasure -Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who log on to the domain can access resources that are shared +Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared from servers in the domain if members of the **Domain Users** group are included in the local **Users** group. > **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement. ### Potential impact -If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network. -If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. +If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This outage is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR isn't a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. ## Related topics [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 5111f06fe9..3aff3ac62f 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -37,7 +37,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually. -It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0. +It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0. ### Location @@ -58,11 +58,11 @@ The following table lists the actual and effective default policy values. Defaul ## Security considerations -More than a few unsuccessful password submissions during an attempt to log on to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track logon attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached. +More than a few unsuccessful password submissions during an attempt to sign in to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track sign-in attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached. ### Vulnerability -A denial-of-service (DoS) condition can be created if an attacker abuses the [Account lockout threshold](account-lockout-threshold.md) policy setting and repeatedly attempts to log on with a specific account. After you configure the Account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts. If you configure the **Account lockout duration** policy setting to 0, the account remains locked until you unlock it manually. +A denial-of-service (DoS) condition can be created if an attacker abuses the [Account lockout threshold](account-lockout-threshold.md) policy setting and repeatedly attempts to sign in with a specific account. After you configure the Account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts. If you configure the **Account lockout duration** policy setting to 0, the account remains locked until you unlock it manually. ### Countermeasure @@ -70,7 +70,7 @@ Configure the **Account lockout duration** policy setting to an appropriate valu ### Potential impact -Configuring the **Account lockout duration** policy setting to 0 so that accounts cannot be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake. +Configuring the **Account lockout duration** policy setting to 0 so that accounts can't be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index fdbdef8e1e..7140cd3752 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -27,26 +27,26 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md). +The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account can't be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md). Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. -However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. +However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. ### Possible values -It is possible to configure the following values for the **Account lockout threshold** policy setting: +It's possible to configure the following values for the **Account lockout threshold** policy setting: - A user-defined number from 0 through 999 - Not defined -Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article. +Because vulnerabilities can exist when this value is configured and when it's not, organizations should weigh their identified threats and the risks that they're trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article. ### Best practices The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization. -As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article. @@ -73,7 +73,7 @@ This section describes features and tools that are available to help you manage ### Restart requirements -None. Changes to this policy setting become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy setting become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Implementation considerations @@ -81,7 +81,7 @@ Implementation of this policy setting depends on your operational environment. C - The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats. -- When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. +- When there's a negotiation of encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. - Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. @@ -105,24 +105,24 @@ However, a DoS attack could be performed on a domain that has an account lockout ### Countermeasure -Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are: +Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are: -- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: +- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts won't be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users can't accidentally lock themselves out of their accounts. Because it doesn't prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: - The password policy setting requires all users to have complex passwords of eight or more characters. - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment. - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. + [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. - Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems. + Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems. ### Potential impact -If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls. +If this policy setting is enabled, a locked account isn't usable until it's reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate many more Help Desk calls. -If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. +If you configure the **Account lockout threshold** policy setting to 0, there's a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism isn't in place. If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index d3f03a9e97..6fe7c4fe77 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -29,7 +29,7 @@ All account policies settings applied by using Group Policy are applied at the d > [!NOTE] > Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO). -The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies. +The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply. ## In this section diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 132ecaa9be..09a0d041d9 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -37,7 +37,7 @@ The following conditions prevent disabling the Administrator account, even if th 1. Disabled 2. Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment -If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password. +If the Administrator account is disabled, you can't enable it if the password doesn't meet requirements. In this case, another member of the Administrators group must reset the password. ### Possible values - Enabled @@ -48,7 +48,7 @@ By default, this setting is **Not defined** on domain controllers and **Enabled* ### Best practices -- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there is no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status. +- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there's no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status. ### Location @@ -73,16 +73,16 @@ The following table lists the actual and effective default values for this polic Disabling the administrator account can become a maintenance issue under certain circumstances. Reasons that an organization might consider disabling the built-in administrator account include: - For some organizations, periodically changing the passwords for local accounts can be a daunting management challenge. -- By default, the administrator account cannot be locked—no matter how many failed attempts to sign in a user accrues. This makes it a prime target for brute-force, password-guessing attacks. -- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID. +- By default, the administrator account can't be locked—no matter how many failed attempts to sign in a user accrue. This open state of the account makes it a prime target for brute-force, password-guessing attacks. +- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This authentication approach means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Safe mode considerations -When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled. +When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account isn't enabled. ### How to access a disabled Administrator account @@ -96,17 +96,17 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The built-in administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum. +The built-in administrator account can't be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to sign in. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum. ### Countermeasure -Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account cannot be used in a normal system startup. -If it is very difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack. +Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account can't be used in a normal system startup. +If it's difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack. ### Potential impact -Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there is no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail. -If the current administrator password does not meet the password requirements, you cannot enable the administrator account after it is disabled. If this situation occurs, another member of the administrators group must set the password on the administrator account. +Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there's no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail. +If the current administrator password doesn't meet the password requirements, you can't enable the administrator account after it's disabled. If this situation occurs, another member of the administrators' group must set the password on the administrator account. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index d390220428..0712c6d50d 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -27,27 +27,27 @@ Describes the best practices, location, values, management, and security conside ## Reference -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). There are two options if this setting is enabled: -- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the sign-in screen). However, users can't use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). -- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. +- **Users can’t add or log on with Microsoft accounts** means that users can't add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. +If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows. ### Possible values - This policy is disabled - Users can’t add Microsoft accounts -- Users can’t add or log on with Microsoft accounts +- Users can’t add or sign in with Microsoft accounts -By default, this setting is not defined on domain controllers and disabled on stand-alone servers. +By default, this setting isn't defined on domain controllers and disabled on stand-alone servers. ### Best practices -- By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users. -- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts. +- If this policy setting is disabled or isn't configured on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This ability to connect provides a convenient option for your users. +- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users won't be able to use the **Settings** app to add new connected accounts. ### Location @@ -72,7 +72,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -80,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult. +Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account isn't easily distinguishable, auditing and forensics become more difficult. ### Countermeasure -Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. +Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users won't be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 6f785de269..a08a78b36e 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for ## Reference The **Accounts: Guest account status** policy setting determines whether the Guest account is enabled or disabled. -This account allows unauthenticated network users to gain access to the system by logging on as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This can lead to the exposure or corruption of data. +This account allows unauthenticated network users to gain access to the system by signing in as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This privilege means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This accessibility can lead to the exposure or corruption of data. ### Possible values @@ -38,7 +38,7 @@ This account allows unauthenticated network users to gain access to the system b ### Best practices -Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those performed by the SMB Service—will fail. +Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those logons performed by the SMB Service—will fail. ### Location @@ -63,15 +63,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The default Guest account allows unauthenticated network users to log on as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data. +The default Guest account allows unauthenticated network users to sign in as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data. ### Countermeasure -Disable the **Accounts: Guest account status** setting so that the built-in Guest account cannot be used. +Disable the **Accounts: Guest account status** setting so that the built-in Guest account can't be used. ### Potential impact -All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it is the default setting starting with Windows Vista and Windows Server 2003. +All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it's the default setting starting with Windows Vista and Windows Server 2003. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index b630cc0ce5..cde8f45d22 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -29,12 +29,12 @@ Describes the best practices, location, values, and security considerations for The **Accounts: Limit local account use of blank passwords to console logon only** policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords. If this policy setting is enabled, a local account must have a nonblank password to be used to perform an interactive or network logon from a remote client. -This policy setting does not affect interactive logons that are performed physically at the console or logons that use domain accounts. It is possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting. -Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to log on to systems. +This policy setting doesn't affect interactive logons that are performed physically at the console or logons that use domain accounts. It's possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting. +Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to sign in to systems. -Devices that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can log on by using a user account that does not have a password. This is especially important for portable devices. +Devices that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can sign in by using a user account that doesn't have a password. This policy is especially important for portable devices. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. +If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. ### Possible values @@ -44,7 +44,7 @@ If you apply this security policy to the Everyone group, no one will be able to ### Best practices -- It is advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled. +- It's advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -77,7 +77,7 @@ The policy as distributed through the GPO takes precedence over the locally conf ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. ## Security considerations @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. Starting with Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on. +Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. From Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to sign in. ### Countermeasure @@ -93,7 +93,7 @@ Enable the **Accounts: Limit local account use of blank passwords to console log ### Potential impact -None. This is the default configuration. +None. This non-impact behavior is the default configuration. ## Related topics [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index d865644cf8..4c849e7de5 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -70,7 +70,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. ## Security considerations @@ -78,9 +78,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation. +The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it's slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation. -The built-in administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. +The built-in administrator account can't be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to sign in. ### Countermeasure @@ -88,7 +88,7 @@ Specify a new name in the **Accounts: Rename administrator account** setting to ### Potential impact -You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account was not disabled.) +You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account wasn't disabled.) ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index 7ce4a682bc..1162ff5210 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -70,7 +70,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. ## Security considerations @@ -83,7 +83,7 @@ or install software that could be used for a later attack on your system. ### Countermeasure -Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. +Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it's slightly more difficult for unauthorized persons to guess this privileged user name and password combination. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index 4c794419c1..5850036933 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access is not limited to what is associated with the user by default. The calling process may request that arbitrary additional privileges be added to the access token. The calling process may also build an access token that does not provide a primary identity for auditing in the system event logs. +The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access isn't limited to what is associated with the user by default. The calling process may request that arbitrary extra privileges be added to the access token. The calling process may also build an access token that doesn't provide a primary identity for auditing in the system event logs. Constant: SeTcbPrivilege ### Possible values @@ -35,8 +35,8 @@ Constant: SeTcbPrivilege - Not defined ### Best practices -- Do not assign this right to any user accounts. Only assign this user right to trusted users. -- If a service requires this user right, configure the service to log on by using the local System account, which inherently includes this user right. Do not create a separate account and assign this user right to it. +- Don't assign this right to any user accounts. Only assign this user right to trusted users. +- If a service requires this user right, configure the service to sign in by using the local System account, which inherently includes this user right. Don't create a separate account and assign this user right to it. ### Location @@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values for the ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -77,11 +77,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Act as part of the operating system** user right is extremely powerful. Users with this user right can take complete control of the device and erase evidence of their activities. +The **Act as part of the operating system** user right is powerful. Users with this user right can take complete control of the device and erase evidence of their activities. ### Countermeasure -Restrict the **Act as part of the operating system** user right to as few accounts as possible—it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which inherently includes this privilege. Do not create a separate account and assign this user right to it. +Restrict the **Act as part of the operating system** user right to as few accounts as possible—it shouldn't even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to sign in with the Local System account, which inherently includes this privilege. Don't create a separate account and assign this user right to it. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index 8e6a02b8ef..471d8a40ba 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain. +This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to 10 workstations to the domain. Adding a machine account to the domain allows the device to participate in Active Directory-based networking. Constant: SeMachineAccountPrivilege @@ -47,7 +47,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignm ### Default values -By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers. +By default, this setting allows access for Authenticated Users on domain controllers, and it isn't defined on stand-alone servers. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. @@ -62,11 +62,11 @@ The following table lists the actual and effective default policy values for the ## Policy management -Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right. +Users can also join a computer to a domain if they've the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they've the **Add workstations to domain** user right. -Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right. +Furthermore, machine accounts that are created through the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created through permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -87,8 +87,8 @@ This policy has the following security considerations: ### Vulnerability -The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative -privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group. +The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative +privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group. ### Countermeasure @@ -96,7 +96,7 @@ Configure this setting so that only authorized members of the IT team are allowe ### Potential impact -For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain. +For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those organizations that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It doesn't affect existing computers unless they're removed from and then added to the domain. ## Related topics - [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 297de36841..f60583b08c 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -28,7 +28,7 @@ This article discusses different methods to administer security policy settings Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization. -Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. +Security settings policies are rules that you can configure on a device, or multiple devices, for protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. Security settings can control: @@ -83,10 +83,10 @@ The secedit command-line tool works with security templates and provides six pri - The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server. - The **Analyze** parameter compares the server's security configuration with the selected template. -- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also. +- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this cloning also. - The **Export** parameter allows you to export the settings from a database into a security settings template. -- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue. -- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. +- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This validation ensures that if the template fails to apply syntax, the template won't be the issue. +- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template won't change access control list entries on files or registry entries that were changed by the most recently applied template. ## Using the Security Compliance Manager @@ -107,9 +107,9 @@ SCW is a role-based tool: You can use it to create a policy that enables service The following are considerations for using SCW: - SCW disables unnecessary services and provides Windows Firewall with Advanced Security support. -- Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file. +- Security policies that are created with SCW aren't the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those settings that can be set with SCW. However, it's possible to include a security template in an SCW security policy file. - You can deploy security policies that you create with SCW by using Group Policy. -- SCW does not install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager. +- SCW doesn't install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager. - SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles. - All apps that use the IP protocol and ports must be running on the server when you run SCW. - In some cases, you must be connected to the Internet to use the links in the SCW help. @@ -149,20 +149,19 @@ Security Configuration and Analysis is an MMC snap-in for analyzing and configur ### Security analysis -The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security. +The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This unreversed state of the changes means that a computer may no longer meet the requirements for enterprise security. Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. -Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security -Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. +Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings don't match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. ### Security configuration -Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. +Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. These security templates immediately configure the system security with the levels specified in the template. ### Security templates -With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. +With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It's a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in doesn't introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once. @@ -184,18 +183,18 @@ Security templates can be used to define: - Registry: Permissions for registry keys - File System: Permissions for folders and files -Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. +Each template is saved as a text-based .inf file. This file enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. ### Security settings extension to Group Policy -Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. +Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you to change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. -Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control: +Security settings or security policies are rules that are configured on a device or multiple devices for protecting resources on a device or network. Security settings can control: - How users are authenticated to a network or device -- What resources users are authorized to use. -- Whether or not a user's or group's actions are recorded in the event log. -- Group membership. +- What resources users are authorized to use +- Whether or not a user's or group's actions are recorded in the event log +- Group membership You can change the security configuration on multiple computers in two ways: @@ -208,18 +207,18 @@ A security policy is a combination of security settings that affect the security With the local security policy, you can control: -- Who accesses your device. -- What resources users are authorized to use on your device. -- Whether or not a user's or group's actions are recorded in the event log. +- Who accesses your device +- What resources users are authorized to use on your device +- Whether or not a user's or group's actions are recorded in the event log -If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence. +If your local device is joined to a domain, you're subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you're a member of. If you're getting a policy from more than one source, conflicts are resolved in the following order of precedence. 1. Organizational unit policy 1. Domain policy 1. Site policy 1. Local computer policy -If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. +If you modify the security settings on your local device by using the local security policy, then you're directly modifying the settings on your device. Therefore, the settings take effect immediately, but this effect may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. ### Using the Security Configuration Manager @@ -233,10 +232,10 @@ For procedures on how to use the Security Configuration Manager, see [Security C ### Applying security settings -Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: +Once you've edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: - When a device is restarted, the settings on that device will be refreshed. -- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe. +- To force a device to refresh its security settings and all Group Policy settings, use gpupdate.exe. **Precedence of a policy when more than one policy is applied to a computer** @@ -247,7 +246,7 @@ For security settings that are defined by more than one policy, the following or 1. Site Policy 1. Local computer Policy -For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override +For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there's a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. > [!NOTE] @@ -260,23 +259,23 @@ Security settings may still persist even if a setting is no longer defined in th Persistence in security settings occurs when: -- The setting has not been previously defined for the device. +- The setting hasn't been previously defined for the device. - The setting is for a registry object. - The setting is for a file system object. -All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing." +All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value doesn't exist in the database, then the setting doesn't revert to anything and remains defined as is. This behavior is sometimes called "tattooing." Registry and file settings will maintain the values applied through policy until that setting is set to other values. **Filtering security settings based on group membership** -You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. +You can also decide what users or groups will or won't have a Group Policy Object applied to them regardless of what computer they've signed into by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. ### Importing and exporting security templates -Security Configuration and Analysis provides the ability to import and export security templates into or from a database. +Security Configuration and Analysis enables import and export of security templates into or from a database. -If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. +If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature enables saving the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. ### Analyzing security and viewing results @@ -286,26 +285,26 @@ Security Configuration and Analysis displays the analysis results by security ar |Visual flag |Meaning | |---------|---------| -|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.| +|Red X |The entry is defined in the analysis database and on the system, but the security setting values don't match.| |Green check mark |The entry is defined in the analysis database and on the system and the setting values match.| -|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed.
                        If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.| -|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.| -|No highlight |The item is not defined in the analysis database or on the system.| +|Question mark |The entry isn't defined in the analysis database and, therefore, wasn't analyzed.
                        If an entry isn't analyzed, it may be that it wasn't defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.| +|Exclamation point |This item is defined in the analysis database, but doesn't exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but doesn't actually exist on the analyzed system.| +|No highlight |The item isn't defined in the analysis database or on the system.| If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis. -To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. +To avoid continued flagging of settings that you've investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. ### Resolving security discrepancies You can resolve discrepancies between analysis database and system settings by: - Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**. -- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. +- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels. - Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file. You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. -In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. +In general, don't use **Configure Computer Now** when you're analyzing security for domain-based clients, since you'll have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. ### Automating security configuration tasks diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 1ad9f2883f..595d9b29e8 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -1,6 +1,6 @@ --- title: Allow log on through Remote Desktop Services (Windows 10) -description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow log on through Remote Desktop Services. +description: Best practices, location, values, policy management, and security considerations for the security policy setting. Allow a sign-in through Remote Desktop Services. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: ms.author: dansimp @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server. +This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection. It's possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to sign in to the console of that same server. Constant: SeRemoteInteractiveLogonRight @@ -38,7 +38,7 @@ Constant: SeRemoteInteractiveLogonRight ### Best practices -- To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group. +- To control who can open a Remote Desktop Services connection and sign in to the device, add users to or remove users from the Remote Desktop Users group. ### Location @@ -66,13 +66,13 @@ This section describes different features and tools available to help you manage ### Group Policy -To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server. +To use Remote Desktop Services to successfully sign in to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It's possible for a user to establish a Remote Desktop Services session to a particular server, but not be able to sign in to the console of that same server. To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right. For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md). -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -89,11 +89,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. +Any account with the **Allow log on through Remote Desktop Services** user right can sign in to the remote console of the device. If you don't restrict this user right to legitimate users who must sign in to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. ### Countermeasure -For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups. +For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups. > **Caution:**  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default. @@ -101,7 +101,7 @@ Alternatively, you can assign the **Deny log on through Remote Desktop Services* ### Potential impact -Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. +Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities aren't adversely affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 39535992d7..6b5311ba25 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -62,11 +62,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Auditing -Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events will not be audited. +Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events won't be audited. Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This setup can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index cc93c278b5..d4f0fd8113 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -38,7 +38,7 @@ There are over 40 auditing subcategories that provide precise details about acti ### Best practices -- Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy. +- Leave the setting enabled. This "enabled" state helps audit events at the category level without revising a policy. ### Location @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -71,9 +71,9 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep ### Auditing -To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. +To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. -If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set. +If the category level audit policy that is set here isn't consistent with the events that are currently being generated, the cause might be that this registry key is set. ### Command-line tools diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 7cc7a09a81..867e169424 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, management practices, and securi ## Reference -The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**. +The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it's unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message if there's a failure of the auditing system. Enabling this policy setting stops the system if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**. -With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears: +With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry can't be overwritten, the following Stop message appears: **STOP: C0000244 {Audit Failed}**: An attempt to generate a security audit failed. -To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired. +To recover, you must sign in, archive the log (optional), clear the log, and reset this option as desired. If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident. @@ -67,11 +67,11 @@ The following table lists the actual and effective default values for this polic ## Policy management This section describes features and tools that are available to help you manage this policy. -The administrative burden of enabling this policy setting can be very high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security log. Additionally, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it cannot guarantee that every data file for every application will still be in a usable form when the system is restarted. +The administrative burden of enabling this policy setting can be high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it's overwhelmed with sign-in events and other security events that are written to the security log. Additionally, because the shutdown isn't graceful, it's possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it can't guarantee that every data file for every application will still be in a usable form when the system is restarted. ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -91,7 +91,7 @@ Enable the **Audit: Shut down system immediately if unable to log security audit ### Potential impact -If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there is no guarantee that every data file for every application will still be in a usable form when the device restarts. +If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it's overwhelmed with sign-in events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it's possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there's no guarantee that every data file for every application will still be in a usable form when the device restarts. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index 239a32f7b1..f41f877de5 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders. +This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right doesn't allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders. Constant: SeChangeNotifyPrivilege @@ -40,7 +40,7 @@ Constant: SeChangeNotifyPrivilege ### Best practices -1. Use access–based enumeration when you want to prevent users from seeing any folder or file to which they do not have access. +1. Use access–based enumeration when you want to prevent users from seeing any folder or file to which they don't have access. 2. Use the default settings of this policy in most cases. If you change the settings, verify your intent through testing. ### Location @@ -62,9 +62,9 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user. +Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs). The ability to traverse the folder doesn't provide any Read or Write permissions to the user. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -85,11 +85,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk. +The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder doesn't provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions doesn't understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk. ### Countermeasure -Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more info about this feature, see [Access-based Enumeration](/previous-versions/windows/it-pro/windows-server-2003/cc784710(v=ws.10)). +Organizations that are concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users can't see any folder or file to which they don't have access. For more info about this feature, see [Access-based Enumeration](/previous-versions/windows/it-pro/windows-server-2003/cc784710(v=ws.10)). ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index c3d5940ecc..bd9df622f1 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting does not impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md). +This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting doesn't impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md). Constant: SeSystemtimePrivilege @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -89,7 +89,7 @@ Users who can change the time on a computer could cause several problems. For ex - Time stamps on event log entries could be made inaccurate - Time stamps on files and folders that are created or modified could be incorrect - Computers that belong to a domain might not be able to authenticate themselves -- Users who try to log on to the domain from devices with inaccurate time might not be able to authenticate. +- Users who try to sign in to the domain from devices with inaccurate time might not be able to authenticate. Also, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a device's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets. @@ -100,7 +100,7 @@ The risk from these types of events is mitigated on most domain controllers, mem - All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner. - The PDC emulator operations master at the root of the domain is authoritative for the organization. Therefore, we recommend that you configure this computer to synchronize with a reliable external time server. -This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that is not accurate. +This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that isn't accurate. ### Countermeasure @@ -108,7 +108,7 @@ Restrict the **Change the system time** user right to users with a legitimate ne ### Potential impact -There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source, such as a web service. +There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that don't belong to the domain should be configured to synchronize with an external source, such as a web service. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index c5a8a0a8e1..a5669229ef 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings. +Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It's used to supplement the computer’s Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings. This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can change the page file size could make it extremely small or move the file to a highly fragmented storage volume, which could cause reduced device performance. +Users who can change the page file size could make it small or move the file to a highly fragmented storage volume, which could cause reduced device performance. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index b506e0c131..718a99a7bd 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs. -When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. +When a user signs in to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Constant: SeCreateTokenPrivilege @@ -40,7 +40,7 @@ Constant: SeCreateTokenPrivilege ### Best practices -- This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. +- This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System. ### Location @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -This user right is used internally by the operating system. By default, it is not assigned to any user groups. +This user right is used internally by the operating system. By default, it isn't assigned to any user groups. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -86,11 +86,11 @@ This section describes how an attacker might exploit a feature or its configurat >**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. -Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they are currently logged on. They could escalate their privileges or create a DoS condition. +Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users sign in to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they're currently logged on. They could escalate their privileges or create a DoS condition. ### Countermeasure -Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. +Don't assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index fd0acee762..b4f0048aa0 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. +This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. -A global object is an object that is created to be used by any number of processes or threads, even those not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access. +A global object is an object that can be used by any number of processes or threads, even those processes or threads not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access. Constant: SeCreateGlobalPrivilege @@ -40,7 +40,7 @@ Constant: SeCreateGlobalPrivilege ### Best practices -- Do not assign any user accounts this right. +- Don't assign any user accounts this right. ### Location @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -A restart of the device is not required for this policy setting to take effect. +A restart of the device isn't required for this policy setting to take effect. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -90,7 +90,7 @@ By default, members of the **Administrators** group, the System account, and ser ### Countermeasure -When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right. +When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assigning them this user right. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index d5d9820efd..3302b6c613 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management, and security ## Reference -This user right determines if users can create a symbolic link from the device they are logged on to. +This user right determines if users can create a symbolic link from the device they're logged on to. -A symbolic link is a file-system object that points to another file-system object. The object that's pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. +A symbolic link is a file-system object that points to another file-system object that is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. >**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege @@ -41,7 +41,7 @@ Constant: SeCreateSymbolicLinkPrivilege ### Best practices -- Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. +- Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. ### Location @@ -66,7 +66,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes different features and tools available to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -95,7 +95,7 @@ Users who have the **Create symbolic links** user right could inadvertently or m ### Countermeasure -Do not assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer. +Don't assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index cfed5fd439..22eda320a1 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. +This policy setting allows you to define other computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an extra access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server. These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device. -This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running. ### Possible values @@ -43,7 +43,7 @@ This policy setting allows you to specify an ACL in two different ways. You can - Blank - This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. ### Location @@ -67,14 +67,14 @@ The following table lists the actual and effective default values for this polic This section describes features and tools that are available to help you manage this policy. ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy -The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups. +The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This precedence means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users aren't changed. Use care in configuring the list of users and groups. -If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click -**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. +If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click +**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This information defines the setting and sets the appropriate SDDL value. ## Security considerations @@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. +Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators can't override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers. @@ -92,7 +92,7 @@ To protect individual COM-based applications or services, set the **DCOM: Machin ### Potential impact -Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. +Windows implements default COM ACLs when they're installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it doesn't, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM don't fail. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 7142b1773f..e5bb3b3aec 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -27,17 +27,17 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. +This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define more computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an extra access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers. The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local -Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running. ### Possible values - Blank - This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. - *User-defined input* of the SDDL representation of the groups and privileges @@ -66,15 +66,15 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. -If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. +If you're denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. -You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. +You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This setting restores control of the DCOM application to the administrator and specified users. To define this setting, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This information defines the setting and sets the appropriate SDDL value. ## Security considerations @@ -82,9 +82,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. +Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You can't override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. -Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. +Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after the startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. ### Countermeasure @@ -92,7 +92,7 @@ To protect individual COM-based applications or services, set this policy settin ### Potential impact -Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. +Windows implements default COM ACLs when they're installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it doesn't, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM don't fail. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 269c9d78ab..4b02ab14cd 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -64,7 +64,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features and tools available to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies. @@ -87,25 +87,25 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. +Users who can sign in to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. ### Countermeasure Assign the **Deny access to this computer from the network** user right to the following accounts: -- Anonymous logon +- Anonymous sign in - Built-in local Administrator account - Local Guest account - All service accounts -An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. +An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you've configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to sign in to the server with the shared folder from the network. This user right is effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. > [!NOTE] > If the service account is configured in the logon properties of a Windows service, it requires network logon rights to the domain controllers to start properly. ### Potential impact -If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. +If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 3065d91365..a1f85a8494 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -27,8 +27,7 @@ This article describes the recommended practices, location, values, policy manag ## Reference -This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task -Scheduler. +This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to sign in by using a batch-queue tool is needed for any account that is used to start scheduled jobs with the Task Scheduler. Constant: SeDenyBatchLogonRight diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index 3b48755935..6085f264bd 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -89,12 +89,12 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure +Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure services, and an attacker who already has that level of access could configure the service to run by using the System account. ### Countermeasure -We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to log on to a service application. +We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to sign in to a service application. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index e3663ffda4..7363da3bbc 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -62,11 +62,11 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. -If you apply this policy setting to the Everyone group, no one will be able to log on locally. +If you apply this policy setting to the Everyone group, no one will be able to sign in locally. ### Group Policy @@ -87,15 +87,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. +Any account with the ability to sign in locally could be used to sign in at the console of the device. If this user right isn't restricted to legitimate users who must sign in to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. ### Countermeasure -Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. +Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to other accounts that are required by those components. ### Potential impact -If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected. +If you assign the **Deny log on locally** user right to other accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on devices that are configured with the Web Server role. You should confirm that delegated activities aren't adversely affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index ea9ba0f63a..288922a996 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server. +This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It's possible for a user to establish a Remote Desktop connection to a particular server, but not be able to sign in to the console of that server. Constant: SeDenyRemoteInteractiveLogonRight @@ -38,7 +38,7 @@ Constant: SeDenyRemoteInteractiveLogonRight ### Best practices -- To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group. +- To control who can open a Remote Desktop connection and sign in to the device, add the user account to or remove user accounts from the Remote Desktop Users group. ### Location @@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -86,15 +86,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights. +Any account with the right to sign in through Remote Desktop Services could be used to sign in to the remote console of the device. If this user right isn't restricted to legitimate users who need to sign in to the console of the computer, malicious users might download and run software that elevates their user rights. ### Countermeasure -Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. +Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to other accounts that are required by those components. ### Potential impact -If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected. +If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right can't connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index 6f6a4ddb5f..c0aaf647df 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -1,6 +1,6 @@ --- title: Devices Allow undock without having to log on (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. +description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c ms.reviewer: ms.author: dansimp @@ -27,11 +27,11 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. +This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. >**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. -Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices +Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices ### Possible values @@ -41,7 +41,7 @@ Enabling this policy setting means that anyone with physical access to a device ### Best practices -It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems. +It's advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to sign in to the local console before they can undock their systems. ### Location @@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -79,9 +79,10 @@ If this policy setting is enabled, anyone with physical access to portable compu ### Countermeasure Disable the **Devices: Allow undock without having to log on** setting. + ### Potential impact -Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact. +Users who have docked their device must sign in to the local console before they can undock their computers. For devices that don't have docking stations, this policy setting has no impact. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index fccacdc413..3acbde1af2 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -40,7 +40,7 @@ Users can move removable disks to a different device where they have administrat ### Best practices -- It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. +- It's advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 5b2bfdf5aa..baf3de195a 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver. -This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added. +This setting has no impact if you've configured a trusted path for downloading drivers. If trusted paths are being used, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver isn't installed and the network printer isn't added. -Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. +Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this idea isn't suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. ### Possible values @@ -41,7 +41,7 @@ Although it might be appropriate in some organizations to allow users to install ### Best practices -- It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. +- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer. > [!NOTE] > After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server. @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 1bc52f9b73..18e750e462 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network. -The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data. +The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives aren't automatically made available as network shared drives; you must deliberately choose to share the drive. This setting to share is important when administrators are installing software or copying data from a CD-ROM, and they don't want network users to be able to execute the applications or view the data. -If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users. +If this policy setting is enabled, users who connect to the server over the network won't be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting isn't suitable for a system that serves as a CD jukebox for network users. ### Possible values @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -75,14 +75,14 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run +A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. ### Countermeasure Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting. ### Potential impact -Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users. +Users who connect to the server over the network can't use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service can't access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting wouldn't be suitable for a computer that serves as a CD jukebox for network users. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index 2591b45b42..cd1c68ffef 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network. -The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data. +The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives aren't automatically made available as network shared drives; you must deliberately choose to share the drive. This setting to share becomes important when you're installing software or copying data from a floppy disk and they don't want network users to be able to execute the applications or view the data. -If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. +If this policy setting is enabled, users who connect to the server over the network won't be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. ### Possible values @@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. +A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives aren't automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. ### Countermeasure @@ -82,7 +82,7 @@ Enable the **Devices: Restrict floppy access to locally logged-on user only** se ### Potential impact -Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. +Users who connect to the server over the network can't use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service can't access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index ad7e4030e3..e3159ed429 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. +This policy setting determines whether server operators can use the **at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that account is the Local System account. >**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool. -Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. +Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. -The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. +The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. ### Possible values @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Command-line tools @@ -88,7 +88,7 @@ Disable the **Domain controller: Allow server operators to schedule tasks** sett ### Potential impact -The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. +The impact should be small for most organizations. Users (including those users in the Server Operators group) can still create jobs through the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 3c4bd32092..d9e51b120c 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -29,9 +29,9 @@ This article describes the best practices, location, values, and security consid This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. -Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. -This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). +This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/636). If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389). @@ -39,13 +39,13 @@ If signing is required, then LDAP simple binds not using SSL are rejected (LDAP ### Possible values -- None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. +- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it. - Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. - Not defined. ### Best practices -- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. +- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that don't support LDAP signing will be unable to execute LDAP queries against the domain controllers. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. ### Countermeasure @@ -86,7 +86,7 @@ Configure the **Domain controller: LDAP server signing requirements** setting to ### Potential impact -Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers. +Client devices that don't support LDAP signing can't run LDAP queries against the domain controllers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index d0b2f91db5..4b6f851944 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -30,7 +30,7 @@ This policy setting enables or disables blocking a domain controller from accept ### Possible values -- **Enabled** When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password. +- **Enabled** When enabled, this setting doesn't allow a domain controller to accept any changes to a machine account's password. - **Disabled** When disabled, this setting allows a domain controller to accept any changes to a machine account's password. @@ -38,7 +38,7 @@ This policy setting enables or disables blocking a domain controller from accept ### Best practices -- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain. +- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This prevention, in turn, leaves those passwords susceptible to attack. Ensure that this setting conforms to your overall security policy for the domain. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack. +If you enable this policy setting on all domain controllers in a domain, domain members can't change their machine account passwords, and those passwords are more susceptible to attack. ### Countermeasure @@ -86,7 +86,7 @@ Disable the **Domain controller: Refuse machine account password changes** setti ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index c48680bf77..f5fe43b200 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -27,30 +27,29 @@ Describes the best practices, location, values, and security considerations for ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is -transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. -The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: +The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic: - Domain member: Digitally encrypt or sign secure channel data (always) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) -Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. +Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data. -To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains. +To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains. To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data. Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting. -When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After being connected to the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Possible values - Enabled - The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure + The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. - Disabled @@ -92,7 +91,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -104,8 +103,8 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and -sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and +sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Countermeasure @@ -117,7 +116,7 @@ Select one of the following settings as appropriate for your environment to conf ### Potential impact -Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. +Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they're sent to the domain controller. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index f07984917f..920aba71a4 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -27,31 +27,31 @@ Describes the best practices, location, values, and security considerations for ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. -In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: +In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) -Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. +Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data. -To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. +To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. -When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Possible values - Enabled - The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted. + The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only sign-in information that is transmitted over the secure channel will be encrypted. - Disabled - The domain member will not attempt to negotiate secure channel encryption. + The domain member won't attempt to negotiate secure channel encryption. >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten. @@ -86,11 +86,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -Distribution of this policy through Group Policy does not override the Local Security Policy setting. +Distribution of this policy through Group Policy doesn't override the Local Security Policy setting. ## Security considerations @@ -98,7 +98,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Countermeasure @@ -110,7 +110,7 @@ Select one of the following settings as appropriate for your environment to conf ### Potential impact -Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller. +Digital signing of the secure channel is a good idea because it protects domain credentials as they're sent to the domain controller. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index b75a8767d9..2083e899a8 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -27,30 +27,30 @@ Describes the best practices, location, values, and security considerations for ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. -The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: +The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - Domain member: Digitally sign secure channel data (when possible) -Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. +Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data. -To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. +To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. -When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Possible values - Enabled - The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. + The domain member will request to sign all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. - Disabled - Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. + Signing won't be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. - Not defined @@ -84,11 +84,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -Distribution of this policy through Group Policy does not override the Local Security Policy setting. +Distribution of this policy through Group Policy doesn't override the Local Security Policy setting. ## Security considerations @@ -96,7 +96,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Countermeasure @@ -108,7 +108,7 @@ Because these policies are closely related and useful depending on your environm ### Potential impact -Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. +Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they're sent to the domain controller. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index 8c85b1ecee..6127a9b87f 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -39,12 +39,12 @@ Verify that the **Domain member: Disable machine account password changes** opti ### Best practices -1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. -2. Do not use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices do not have to be rejoined to the domain. -3. You may want to consider using this policy setting in specific environments, such as the following: +1. Don't enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it's established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. +2. Don't use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices don't have to be rejoined to the domain. +3. You may want to consider using this policy setting in specific environments, such as the following ones: - Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image. - - Embedded devices that do not have write access to the OS volume. + - Embedded devices that don't have write access to the OS volume. In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command: @@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices -that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. +that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. ### Countermeasure @@ -94,7 +94,7 @@ Verify that the **Domain member: Disable machine account password changes** sett ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index 7a5f2b3e94..7eb431cb17 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni ### Best practices -We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. +We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. ### Location @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -By default, the domain members submit a password change every 30 days. If you increase this interval significantly so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. +By default, the domain members submit a password change every 30 days. If you increase this interval so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. ### Countermeasure @@ -84,7 +84,7 @@ Configure the **Domain member: Maximum machine account password age** setting to ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics - [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 24cdd01bd2..1d7f2049d2 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. +The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that isn't capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that can't encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected. @@ -35,7 +35,7 @@ Whenever possible, you should take advantage of these stronger session keys to h - Enabled - When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server. + When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This capability means that all such domain controllers must be running at least Windows 2000 Server. - Disabled @@ -45,7 +45,7 @@ Whenever possible, you should take advantage of these stronger session keys to h ### Best practices -- It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. +- It's advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. ### Location @@ -73,13 +73,13 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. -You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled. +You'll you be able to join devices that don't support this policy setting to domains where the domain controllers have this policy setting enabled. ## Security considerations @@ -99,7 +99,7 @@ If you enable this policy setting, all outgoing secure channel traffic requires ### Potential impact -Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled. +Devices that don't support this policy setting can't join domains in which the domain controllers have this policy setting enabled. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index d60d7b9568..464033d694 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security ## Reference This policy setting determines which users can set the **Trusted for Delegation** setting on a user or computer object. -Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. +Security account delegation enables connection to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. Only administrators who have the **Enable computer and user accounts to be trusted for delegation** credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain. @@ -43,7 +43,7 @@ Constant: SeEnableDelegationPrivilege ### Best practices -- There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices. +- There's no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It's only relevant on domain controllers and stand-alone devices. ### Location @@ -68,7 +68,7 @@ This section describes features, tools and guidance to help you manage this poli Modifying this setting might affect compatibility with clients, services, and applications. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -99,7 +99,7 @@ after a security incident. ### Countermeasure -The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default. +The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default. >**Note:**  There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers. diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index e32f558d6c..97d3791815 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security The **Enforce password history** policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced. -Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you do not also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password. +Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you don't also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password. ### Possible values @@ -39,9 +39,9 @@ Specifying a low number for **Enforce password history** allows users to continu ### Best practices -- Set **Enforce password history** to 24. This will help mitigate vulnerabilities that are caused by password reuse. +- Set **Enforce password history** to 24. This setting will help mitigate vulnerabilities that are caused by password reuse. - Set [Maximum password age](maximum-password-age.md) to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss. -- Configure [Minimum password age](minimum-password-age.md) so that you do not allow passwords to be changed immediately. +- Configure [Minimum password age](minimum-password-age.md) so that you don't allow passwords to be changed immediately. ### Location @@ -66,7 +66,7 @@ This section describes features, tools, and guidance to help you manage this pol ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -74,9 +74,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. +The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse isn't prevented, or if users continually reuse a few passwords, the effectiveness of a good password policy is greatly reduced. -If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password. +If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password. >**Note:**  After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised. @@ -88,7 +88,7 @@ For this policy setting to be effective, you should also configure effective val ### Potential impact -The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but this makes them easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently. +The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they're required to change their old one. If users are required to change their passwords to new unique values, there's an increased risk of users who write their passwords somewhere so that they don't forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but these passwords make it easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index c1b6e0c09e..5198399434 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -37,9 +37,9 @@ The possible values for this Group Policy setting are: ### Best practices -- If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use. +- If this policy setting is disabled, users might be granted session tickets for services that they don't have the right to use. - We recommend to set **Enforce user logon restrictions** to Enabled. + We recommend setting **Enforce user logon restrictions** to Enabled. ### Location @@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. ### Group Policy @@ -91,7 +91,7 @@ Enable the **Enforce user logon restrictions** setting. ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index f6eda6e23e..c9c6d11852 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. +This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they're available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. Constant: SeIncreaseWorkingSetPrivilege @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index 7c5ca6c4a7..a54c5e93d9 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -44,9 +44,9 @@ This setting has these possible values: - **User display name, domain and user names** - For a local logon, the user's full name is displayed. + For a local sign in, the user's full name is displayed. If the user signed in using a Microsoft account, the user's email address is displayed. - For a domain logon, the domain\username is displayed. + For a domain sign in, the domain\username is displayed. This setting has the same effect as turning on the **Privacy** setting. - **User display name only** @@ -57,30 +57,30 @@ This setting has these possible values: - **Do not display user information** No names are displayed. - Beginning with Windows 10 version 1607, this option is not supported. + Beginning with Windows 10 version 1607, this option isn't supported. If this option is chosen, the full name of the user who locked the session is displayed instead. This change makes this setting consistent with the functionality of the new **Privacy** setting. To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**. - **Domain and user names only** - For a domain logon only, the domain\username is displayed. + For a domain sign in only, the domain\username is displayed. The **Privacy** setting is automatically on and grayed out. - **Blank** Default setting. This setting translates to “Not defined,” but it will display the user's full name in the same manner as the option **User display name only**. - When an option is set, you cannot reset this policy to blank, or not defined. + When an option is set, you can't reset this policy to blank, or not defined. ### Hotfix for Windows 10 version 1607 -Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. +Clients that run Windows 10 version 1607 won't show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. If the **Privacy** setting is turned on, details will show. -The **Privacy** setting cannot be changed for clients in bulk. +The **Privacy** setting can't be changed for clients in bulk. Instead, apply [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. -Clients that run later versions of Windows 10 do not require a hotfix. +Clients that run later versions of Windows 10 don't require a hotfix. There are related Group Policy settings: @@ -93,19 +93,19 @@ There are related Group Policy settings: For all versions of Windows 10, only the user display name is shown by default. If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings. -Users will not be able to show details. +Users won't be able to show details. -If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username. +If **Block user from showing account details on sign-in** isn't enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show other details such as domain\username. In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied. -Users will not be able to hide additional details. +Users won't be able to hide other details. -If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown. +If **Block user from showing account details on sign-in** isn't enabled and **Don’t display last signed-in** is enabled, the username won't be shown. ### Best practices -Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. +Your implementation of this policy depends on your security requirements for displayed sign-in information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. -Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy. +Depending on your security policy, you might also want to enable the [Interactive logon: Don't display last user name](interactive-logon-do-not-display-last-user-name.md) policy. ### Location @@ -128,7 +128,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -136,7 +136,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -148,9 +148,9 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i ### Countermeasure -Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. +Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the sign-in tiles are displayed for each signed-in user. -You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to log on. +You might also want to enable the [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the sign-in name and sign-in tile of the last user to sign in. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index 9994a60f7e..47bac4e4cc 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -1,6 +1,6 @@ --- title: Interactive logon Don't display last signed-in (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. +description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display last user name security policy setting. ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library @@ -26,11 +26,11 @@ Describes the best practices, location, values, and security considerations for ## Reference -This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop. +This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. -If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the **Switch user** feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password. +If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user’s sign-in tile displayed. Additionally, if the **Switch user** feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests a qualified domain account name (or local user name) and password. -If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the **Switch user** feature is used. +If this policy is disabled, the full name of the last user to sign in is displayed, and the user’s sign-in tile is displayed. This behavior is the same when the **Switch user** feature is used. ### Possible values @@ -40,7 +40,7 @@ If this policy is disabled, the full name of the last user to log on is displaye ### Best practices -Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. +Your implementation of this policy depends on your security requirements for displayed sign-in information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. ### Location @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -71,7 +71,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -79,7 +79,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. +An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to sign in. ### Countermeasure @@ -87,7 +87,7 @@ Enable the **Interactive logon: Do not display last user name** setting. ### Potential impact -Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. +Users must always type their user names and passwords when they sign in locally or to the domain. The sign-in tiles of all logged on users aren't displayed. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 4131998946..0284f2bb14 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -26,15 +26,18 @@ Describes the best practices, location, values, and security considerations for ## Reference -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. +This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in. -If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. +If this policy setting is enabled on a device, a user isn't required to press CTRL+ALT+DEL to sign in. -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). +If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they're using a smart card for signing in). -Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +Microsoft developed this feature to make it easier for users with certain types of physical impairments to sign in to a device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users sign in ensures that users are communicating through a trusted path when entering their passwords. -A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has. +A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system, and capture a user's password. The attacker can then sign in to the compromised account with whatever level of user rights that user has. + +> [!NOTE] +> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well. ### Possible values @@ -69,7 +72,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -77,7 +80,7 @@ Beginning with Windows Server 2008 and Windows Vista, the CTRL+ALT+DELETE key ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -85,9 +88,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -This setting makes it easier for users with certain types of physical impairments to log on to devices that run the Windows operating system. However, if users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. +This setting makes it easier for users with certain types of physical impairments to sign in to devices that run the Windows operating system. However, if users aren't required to press CTRL+ALT+DEL, they're susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before signing in, user passwords are communicated through a trusted path. -If this setting is enabled, an attacker could install malware that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has. +If this setting is enabled, an attacker could install malware that looks like the standard sign-in dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to sign in to the compromised account with whatever level of privilege that user has. ### Countermeasure @@ -95,7 +98,7 @@ Disable the **Interactive logon: Do not require CTRL+ALT+DEL** setting. ### Potential impact -Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed. +Unless they use a smart card to sign in, users must simultaneously press the three keys before the sign-in dialog box is displayed. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index e0431252ef..2fd2510de4 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile. -If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays. +If the policy is enabled and a user signs in as **Other user**, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name isn't shown until the Start screen displays. If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in. @@ -64,7 +64,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -72,7 +72,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. +An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to sign in. ### Countermeasure @@ -88,7 +88,7 @@ Enable the **Interactive logon: Don't display user name at sign-in** setting. ### Potential impact -Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. +Users must always type their usernames and passwords when they log on locally or to the domain. The sign in tiles of all logged on users aren't displayed. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index e9a1fea0ae..148956b0f3 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, management, and security conside Beginning with Windows Server 2012 and Windows 8, the **Interactive logon: Machine account threshold** security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes. -The security setting allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access. +The security setting allows you to set a threshold for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access. -Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts. +Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed sign-in attempts. ### Possible values @@ -39,7 +39,7 @@ You can set the **invalid logon attempts** value between 1 and 999. Values from ### Best practices -Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. +Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. ### Location @@ -64,13 +64,13 @@ This section describes features and tools that are available to help you manage ### Restart requirement -A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. +A restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy. ### Group Policy Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled. -When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out. +When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed sign-in attempts that will cause a user account to be locked out. ## Security considerations @@ -82,7 +82,7 @@ This policy setting helps protect a BitLocker-encrypted device from attackers at ### Countermeasure -Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. +Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 737bfddba3..01524c765c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -Restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. +Restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy. ### Group Policy diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index ec72b350f1..09e60e2f2b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive Logon Message text (Windows 10) description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -22,7 +22,7 @@ ms.technology: windows-sec **Applies to:** -- Windows 10 +- Windows 10 Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. @@ -30,13 +30,11 @@ Describes the best practices, location, values, management, and security conside The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. -**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. +**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in. -**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons — for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. - -When these policy settings are configured, users will see a dialog box before they can log on to the server console. +When these policy settings are configured, users will see a dialog box before they can sign in to the server console. ### Possible values @@ -47,10 +45,10 @@ The possible values for this setting are: ### Best practices -- It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following: +- It's advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following: 1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION. - 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information. + 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you're unauthorized, terminate access now. Click OK to indicate your acceptance of this information. > [!IMPORTANT] > Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments. @@ -77,22 +75,22 @@ This section describes different requirements to help you manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -There are two policy settings that relate to logon displays: +There are two policy settings that relate to sign-in displays: - **Interactive logon: Message text for users attempting to log on** - [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) -The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. +The first policy setting specifies a text message that displays to users when they sign in, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. ### Vulnerability -Users often do not understand the importance of security practices. However, the display of a warning message before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. +Users often don't understand the importance of security practices. However, the display of a warning message before signing in may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the sign-in process. ### Countermeasure @@ -100,7 +98,7 @@ Configure the **Interactive logon: Message text for users attempting to log on** ### Potential impact -Users see a message in a dialog box before they can log on to the server console. +Users see a message in a dialog box before they can sign in to the server console. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index e5f5ce5eb8..b16fd3bff2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -21,7 +21,8 @@ ms.technology: windows-sec # Interactive logon: Message title for users attempting to log on **Applies to** -- Windows 10 + +- Windows 10 Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. @@ -29,28 +30,26 @@ Describes the best practices, location, values, policy management and security c This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. -The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. +The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. - -When these policy settings are configured, users will see a dialog box before they can log on to the server console. +When these policy settings are configured, users will see a dialog box before they can sign in the server console. ### Possible values -- *User-defined title* -- Not defined +- *User-defined title* +- Not defined ### Best practices -1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: +1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: - - RESTRICTED SYSTEM + - RESTRICTED SYSTEM - or + or - - WARNING: This system is restricted to authorized users. + - WARNING: This system is restricted to authorized users. -2. Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the message’s title. +2. Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the message’s title. ### Location @@ -62,45 +61,46 @@ The following table lists the actual and effective default values for this polic |Server type or GPO | Default value| | - | - | -| Default Domain Policy| Not defined| -| Default Domain Controller Policy | Not defined| -| Stand-Alone Server Default Settings | Not defined| -| DC Effective Default Settings | Not defined| -| Member Server Effective Default Settings | Not defined| -| Client Computer Effective Default Settings | Not defined| - +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined| + ## Policy management This section describes features and tools that are available to help you manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -There are two policy settings that relate to logon displays: +There are two policy settings that relate to sign-in displays: -- [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) -- **Interactive logon: Message title for users attempting to log on** +- [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) +- **Interactive logon: Message title for users attempting to log on** -The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. +The first policy setting specifies a text message that displays to users when they sign in, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. ### Vulnerability -Users often do not understand the importance of security practices. However, the display of a warning message with an appropriate title before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. +Users often don't understand the importance of security practices. However, the display of a warning message with an appropriate title before signing in may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the sign-in process. ### Countermeasure Configure the [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) and **Interactive logon: Message title for users attempting to log on** settings to an appropriate value for your organization. ->**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives. - +> [!NOTE] +> Any warning message that displays should be approved by your organization's legal and human resources representatives. + ### Potential impact -Users see a message in a dialog box before they can log on to the server console. +Users see a message in a dialog box before they can sign in to the server console. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 90773e0b18..966a3f3c4e 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -27,19 +27,19 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. This policy setting determines the number of unique users whose logon information is cached locally. +The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can sign in to a Windows domain by using cached account information. Sign-in information for domain accounts can be cached locally so that, if a domain controller can't be contacted on subsequent logons, a user can still sign in. This policy setting determines the number of unique users whose sign-in information is cached locally. -If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message: +If a domain controller is unavailable and a user's sign-in information is cached, the user is prompted with the following message: -A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available. +A domain controller for your domain couldn't be contacted. You've been logged on using cached account information. Changes to your profile since you last logged on might not be available. -If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: +If a domain controller is unavailable and a user's sign-in information isn't cached, the user is prompted with this message: -The system cannot log you on now because the domain *DOMAIN NAME* is not available. +The system can't log you on now because the domain *DOMAIN NAME* isn't available. -The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session. +The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session. -Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by +Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. > [!NOTE] @@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re ### Best practices -The [Windows security baselines](../windows-security-baselines.md) do not recommend configuring this setting. +The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. ### Location @@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -85,7 +85,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -93,20 +93,20 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session. +The number that is assigned to this policy setting indicates the number of users whose sign-in information is cached locally by the servers. If the number is set to 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session. -Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. +Users who access the server console have their sign-in credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location. ### Countermeasure -Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of logon information. Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers. +Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of sign-in information. Other countermeasures include enforcement of strong password policies and physically secure locations for the computers. ### Potential impact -Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a -member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network. +Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a +member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 88948dcc4f..be5146c636 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, policy management, and security ## Reference -Unlocking a locked device requires logon information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it is necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the logon information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system. +Unlocking a locked device requires sign-in information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it's necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the sign-in information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system. The device caches (locally in memory) the credentials of any users who have been authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. -When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process. This means not only that user rights are not updated, but more importantly that disabled accounts are still able to unlock the console of the system. +When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) aren't considered or applied after this authentication process. This result means not only that user rights aren't updated, but more importantly that disabled accounts are still able to unlock the console of the system. -It is advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. +It's advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to reauthenticate to the domain controller. If no domain controller is available, users can't unlock their devices. ### Possible values @@ -43,7 +43,7 @@ It is advisable to set **Interactive logon: Require Domain Controller authentica ### Best practices -- Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. +- Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to reauthenticate to the domain controller. If no domain controller is available, users can't unlock their devices. ### Location @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -76,7 +76,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—are not considered or applied after the account is authenticated. User privileges are not updated, and disabled accounts are still able to unlock the console of the device +By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—aren't considered or applied after the account is authenticated. User privileges aren't updated, and disabled accounts are still able to unlock the console of the device ### Countermeasure @@ -92,7 +92,7 @@ Configure the **Interactive logon: Require Domain Controller authentication to u ### Potential impact -When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) cannot log on. +When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can reauthenticate to the domain controller. If no domain controller is available, users can't unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) can't sign in. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index 50e612ee9a..959ced7fdc 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -25,7 +25,7 @@ ms.technology: windows-sec Describes the Kerberos Policy settings and provides links to policy setting descriptions. -The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed. +The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this ticket lifetime reduction also increases the authorization overhead. In most environments, these settings shouldn't need to be changed. These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index a0534994d0..9a7f5f87d4 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -27,10 +27,10 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code. +This policy setting determines which users can dynamically load and unload device drivers. This user right isn't required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code. Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the device. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices. -Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted. +Because device driver software runs as if it's a part of the operating system with unrestricted access to the entire computer, it's critical that only known and authorized device drivers be permitted. Constant: SeLoadDriverPrivilege @@ -42,7 +42,7 @@ Constant: SeLoadDriverPrivilege ### Best practices -- Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system. +- Because of the potential security risk, don't assign this user right to any user, group, or process that you don't want to take over the system. ### Location @@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -94,11 +94,11 @@ Device drivers run as highly privileged code. A user who has the **Load and unlo ### Countermeasure -Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins. +Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins. ### Potential impact -If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. +If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index 17b2d7d0e6..5aae309524 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -31,7 +31,7 @@ This policy setting determines which accounts can use a process to keep data in Normally, an application running on Windows can negotiate for more physical memory, and in response to the request, the application begins to move the data from RAM (such as the data cache) to a disk. When the pageable memory is moved to a disk, more RAM is free for the operating system to use. -Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation. +Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This limitation could lead to performance degradation. >**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system. @@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -92,7 +92,7 @@ Users with the **Lock pages in memory** user right could assign physical memory ### Countermeasure -Do not assign the **Lock pages in memory** user right to any accounts. +Don't assign the **Lock pages in memory** user right to any accounts. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index 4fb931974f..39c6bc3b10 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -27,7 +27,7 @@ This article describes the recommended practices, location, values, policy manag ## Reference -This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context. +This policy setting determines which accounts can sign in by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context. Constant: SeBatchLogonRight @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default. +The **Log on as a batch job** user right presents a low-risk vulnerability that allows non-administrators to perform administrator-like functions. If not assessed, understood, and restricted accordingly, attackers can easily exploit this potential attack vector to compromise systems, credentials, and data. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default. ### Countermeasure @@ -95,7 +95,7 @@ For IIS servers, configure this policy locally instead of through domain–based ### Potential impact -If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to additional accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality. +If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to other accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index 5da39ee708..4566dfbf15 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -27,8 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the -Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md). +This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md). Constant: SeSecurityPrivilege @@ -40,7 +39,7 @@ Constant: SeSecurityPrivilege ### Best practices 1. Before removing this right from a group, investigate whether applications are dependent on this right. -2. Generally, assigning this user right to groups other than Administrators is not necessary. +2. Generally, assigning this user right to groups other than Administrators isn't necessary. ### Location @@ -65,11 +64,11 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. -Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool. +Audits for object access aren't performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool. For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md). diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index e3ed6c49c4..3dbb0c258d 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -31,16 +31,16 @@ The **Maximum lifetime for service ticket** policy setting determines the maximu The possible values for this Group Policy setting are: -- A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets do not expire). +- A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets don't expire). - Not defined. -If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that authenticated the connection expires during the connection. +If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations aren't interrupted if the session ticket that authenticated the connection expires during the connection. -If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire. +If the value for this policy setting is too high, users might be able to access network resources outside of their sign-in hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire. ### Best practices -- It is advisable to set **Maximum lifetime for service ticket** to **600** minutes. +- It's advisable to set **Maximum lifetime for service ticket** to **600** minutes. ### Location @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled. +If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their sign-in hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled. ### Countermeasure @@ -94,7 +94,7 @@ Configure the **Maximum lifetime for service ticket** setting to 600 minutes. ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index 0b5fddd3cd..4807321a05 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -36,9 +36,9 @@ The possible values for this Group Policy setting are: ### Best practices -- If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. +- If the value for this policy setting is too high, users may be able to renew old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. - It is advisable to set **Maximum lifetime for user ticket renewal** to **7** days. + It's advisable to set **Maximum lifetime for user ticket renewal** to **7** days. ### Location @@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew very old user tickets. +If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew old user tickets. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index b189dda660..53e36fa838 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -34,7 +34,7 @@ The possible values for this Group Policy setting are: - A user-defined number of hours from 0 through 99,999 - Not defined -If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire. +If the value for this policy setting is too high, users might be able to access network resources outside of their sign-in hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire. ### Best practices @@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack. +If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their sign-in hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack. ### Countermeasure @@ -92,7 +92,7 @@ Configure the **Maximum lifetime for user ticket** setting with a value between ### Potential impact -Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user does not have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of four hours without too much additional burden. +Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user doesn't have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of 4 hours without any extra burden. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index 546b7de4f2..e63f28edde 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days. +The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days. >**Note:**  Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**. @@ -66,7 +66,7 @@ This section describes features, tools, and guidance to help you manage this pol ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,13 +78,13 @@ The longer a password exists, the higher the likelihood that it will be compromi ### Considerations -Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/) for further information. +Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. For more information, see [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/). -Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements. +Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organizations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements. ### Potential impact -If the **Maximum password age** policy setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. +If the **Maximum password age** policy setting is too low, users are required to change their passwords often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index fe607f246f..e010602641 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. -Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. +Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any timestamp that's used in a session between the two devices is considered to be authentic. The possible values for this Group Policy setting are: @@ -39,7 +39,7 @@ The possible values for this Group Policy setting are: ### Best practices -- It is advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes. +- It's advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes. ### Location @@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic. +To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any timestamp that's used in a session between the two computers is considered to be authentic. ### Countermeasure @@ -93,7 +93,7 @@ Configure the **Maximum tolerance for computer clock synchronization** setting t ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 0cc87e361e..c17a0e599f 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -28,23 +28,23 @@ Describes the best practices, location, values, policy management and security c ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that doesn't support password encryption during authentication. ### Possible values - Enabled - The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. + The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that doesn't support password encryption during authentication. - Disabled - The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services do not support password encryption, the authentication request will fail. + The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services don't support password encryption, the authentication request will fail. - Not defined ### Best practices -- It is advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled. +- It's advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -85,7 +85,7 @@ Disable the **Microsoft network client: Send unencrypted password to connect to ### Potential impact -Some older applications may not be able to communicate with the servers in your organization by means of the SMB protocol. +Some older applications may not be able to communicate with the servers in your organization through the SMB protocol. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index abe6db2b33..5a14605d54 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -41,7 +41,7 @@ The **Microsoft network server: Amount of idle time required before suspending s ### Best practices -- It is advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity. +- It's advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity. ### Location @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -83,7 +83,7 @@ The default behavior on a server mitigates this threat by design. ### Potential impact -There is little impact because SMB sessions are reestablished automatically if the client computer resumes activity. +There's little impact because SMB sessions are reestablished automatically if the client computer resumes activity. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 1ef73b3a59..f4ddaa9d5a 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -30,9 +30,9 @@ Describes the best practices, location, values, management, and security conside This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. -When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims are not present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied. +When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied. -If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal. +If this setting is disabled, the Windows file server won't attempt to obtain a claim-enabled access token for the client principal. ### Possible values @@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 +None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index afb7ddfe20..080f186f03 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -34,7 +34,7 @@ Implementation of digital signatures in high-security networks helps prevent the Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). -There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2. +There's a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2. | | Server – Required | Server – Not Required | @@ -46,7 +46,7 @@ There is a negotiation done between the SMB client and the SMB server to decide 1 Default for domain controller SMB traffic
                        2 Default for all other SMB traffic -Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). +Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact). ### Possible values @@ -80,7 +80,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -90,7 +90,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -101,7 +101,7 @@ Enable **Microsoft network server: Digitally sign communications (always)**. ### Potential impact -Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater. +Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you're using a 1-GB Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index 5cf58f4daf..6b528db190 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -1,6 +1,6 @@ --- -title: Microsoft network server Disconnect clients when logon hours expire (Windows 10) -description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when logon hours expire. +title: Microsoft network server Disconnect clients when sign-in hours expire (Windows 10) +description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when sign-in hours expire. ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af ms.reviewer: ms.author: dansimp @@ -18,7 +18,7 @@ ms.date: 04/19/2017 ms.technology: windows-sec --- -# Microsoft network server: Disconnect clients when logon hours expire +# Microsoft network server: Disconnect clients when sign-in hours expire **Applies to** - Windows 10 @@ -27,17 +27,17 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's logon hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's logon hours expire. +This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid sign-in hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's sign-in hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's sign-in hours expire. ### Possible values - Enabled - Client device sessions with the SMB service are forcibly disconnected when the client device's logon hours expire. If logon hours are not used in your organization, enabling this policy setting will have no impact. + Client device sessions with the SMB service are forcibly disconnected when the client device's sign-in hours expire. If sign-in hours aren't used in your organization, enabling this policy setting will have no impact. - Disabled - The system maintains an established client device session after the client device's logon hours have expired. + The system maintains an established client device session after the client device's sign-in hours have expired. - Not defined @@ -68,11 +68,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If your organization configures logon hours for users, it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours can continue to use those resources with sessions that were established during allowed hours. +If your organization configures sign-in hours for users, it makes sense to enable this policy setting. Otherwise, users who shouldn't have access to network resources outside of their sign-in hours can continue to use those resources with sessions that were established during allowed hours. ### Countermeasure @@ -88,7 +88,7 @@ Enable the **Microsoft network server: Disconnect clients when logon hours expir ### Potential impact -If logon hours are not used in your organization, this policy setting has no impact. If logon hours are used, existing user sessions are forcibly terminated when their logon hours expire. +If sign-in hours aren't used in your organization, this policy setting has no impact. If sign-in hours are used, existing user sessions are forcibly terminated when their sign-in hours expire. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md index 23c36d99fa..a403cf9029 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md @@ -37,15 +37,15 @@ The options for validation levels are: - **Off** - The SPN from a SMB client is not required or validated by the SMB server. + The SPN from an SMB client isn't required or validated by the SMB server. - **Accept if provided by client** - The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s. If the SPN does not match, the session request for that SMB client will be denied. + The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPNs. If the SPN doesn't match, the session request for that SMB client will be denied. - **Required from client** - The SMB client must send a SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided does not match, the session is denied. + The SMB client must send an SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided doesn't match, the session is denied. The default setting is Off. @@ -78,7 +78,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -86,7 +86,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 960112af64..97ae441bb7 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -35,14 +35,14 @@ The **Minimum password age** policy setting determines the period of time (in da [Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day. -Setting the number of days to 0 allows immediate password changes. This setting is not recommended. +Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. For example, suppose a password is "Ra1ny day!" and the history requirement is 24. If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!". The minimum password age of 1 day prevents that. If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. -Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. +Otherwise, the user won't be able to change the password until the number of days specified by **Minimum password age**. ### Location @@ -67,7 +67,7 @@ This section describes features, tools, and guidance to help you manage this pol ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -75,17 +75,17 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach. +Users may have favorite passwords that they like to use because they're easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach. -To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. Configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective. +To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users can't reuse any of their last 12 passwords, but you don't configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. Configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective. ### Countermeasure -Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. +Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we don't recommend. ### Potential impact -If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. +If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user can't change the password until the next day. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index d116884fca..79aad414c3 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -38,9 +38,9 @@ The **Minimum password length** policy setting determines the least number of ch Set Minimum password length to at least a value of 14. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md). -Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls. +Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls. -In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember. +In addition, requiring long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember. ### Location @@ -86,7 +86,7 @@ In most environments, we recommend an eight-character password because it's long ### Potential impact -Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords because of password length requirements, consider teaching your users about passphrases, which are often easier to remember and, because of the larger number of character combinations, much harder to discover. +Requirements for long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords because of password length requirements, consider teaching your users about passphrases, which are often easier to remember and, because of the larger number of character combinations, much harder to discover. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index b320e305b8..373887c79e 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -34,10 +34,10 @@ similar to NTFS file and folder permissions, which are discretionary controls on - **Untrusted**   Default assignment for processes that are logged on anonymously. - **Low**   Default assignment for processes that interact with the Internet. -- **Medium**   Default assignment for standard user accounts and any object that is not explicitly designated with a lower or higher integrity level. +- **Medium**   Default assignment for standard user accounts and any object that isn't explicitly designated with a lower or higher integrity level. - **High**  Default assignment for administrator accounts and processes that request to run using administrative rights. - **System**   Default assignment for Windows kernel and core services. -- **Installer**   Used by setup programs to install software. It is important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects. +- **Installer**   Used by setup programs to install software. It's important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects. Constant: SeRelabelPrivilege @@ -48,7 +48,7 @@ Constant: SeRelabelPrivilege ### Best practices -- Do not give any group this user right. +- Don't give any group this user right. ### Location @@ -73,7 +73,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -97,11 +97,11 @@ This section describes how an attacker might exploit a feature or its configurat Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. -If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to relabel. +If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts don't have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you're attempting to relabel. ### Countermeasure -Do not give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need. +Don't give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index 82be9fa1ec..3749e86521 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -37,7 +37,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob - Enabled - An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation. + An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation and the name-to-SID translation. - Disabled @@ -47,7 +47,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob ### Best practices -- Set this policy to Disabled. This is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled. +- Set this policy to Disabled, which is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled. ### Location @@ -79,7 +79,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index aa56038e35..6bad2976ca 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON. +This policy setting determines which other permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This permission is convenient, for example, when an administrator wants to give access to users in a trusted domain that doesn't maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON. This policy setting has no impact on domain controllers. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. @@ -38,7 +38,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob - Disabled - No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks. + No other permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks. - Not defined @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflicts @@ -89,7 +89,7 @@ Enable the **Network access: Do not allow anonymous enumeration of SAM accounts ### Potential impact -It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. +It's impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 1e144a682f..a6c761b102 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. +This policy setting determines which other permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This permission is convenient, for example, when an administrator wants to give access to users in a trusted domain that doesn't maintain a reciprocal trust. This policy setting has no impact on domain controllers. @@ -39,7 +39,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob - Disabled - No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. + No other permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. - Not defined @@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflicts @@ -90,7 +90,7 @@ Enable the **Network access: Do not allow anonymous enumeration of SAM accounts* ### Potential impact -It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. +It's impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 160dbb22e8..51152ae5b7 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -33,7 +33,7 @@ This security setting determines whether Credential Manager saves passwords and - Enabled - Credential Manager does not store passwords and credentials on the device + Credential Manager doesn't store passwords and credentials on the device - Disabled @@ -43,7 +43,7 @@ This security setting determines whether Credential Manager saves passwords and ### Best practices -It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain. +It's a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials aren't needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain. ### Location @@ -72,7 +72,7 @@ A restart of the device is required before this policy will be effective when ch ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -84,21 +84,21 @@ Passwords that are cached can be accessed by the user when logged on to the devi >**Note:**  The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies. -Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value. +Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. With the help of one of these utilities, an attacker can authenticate by using the overwritten value. -Overwriting the administrator's password does not help the attacker access data that is encrypted by using that password. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt. +Overwriting the administrator's password doesn't help the attacker access data that is encrypted by using that password. Also, overwriting the password doesn't help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password doesn't help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) won't decrypt. ### Countermeasure Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. -To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. +To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's 10 most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. -When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. +When you try to sign in to a domain from a Windows-based client device, and a domain controller is unavailable, you don't receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of a sign in that uses cached domain credentials with the ReportDC registry entry. ### Potential impact -Users are forced to type passwords whenever they log on to their Microsoft Account or other network resources that are not accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account. +Users are forced to type passwords whenever they sign in to their Microsoft Account or other network resources that aren't accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 542bd046ed..5984f7aa39 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities. This capability is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. +This policy setting determines what other permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities. This capability is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. -By default, the token that is created for anonymous connections does not include the Everyone SID. Therefore, permissions that are assigned to the Everyone group do not apply to anonymous users. +By default, the token that is created for anonymous connections doesn't include the Everyone SID. Therefore, permissions that are assigned to the Everyone group don't apply to anonymous users. ### Possible values @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -86,7 +86,7 @@ Disable the **Network access: Let Everyone permissions apply to anonymous users* ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md index 78c22e2c43..ee23e0432c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -38,7 +38,7 @@ Restricting access over named pipes such as COMNAP and LOCATOR helps prevent una ### Best practices -- Set this policy to a null value; that is, enable the policy setting, but do not enter named pipes in the text box. This will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. +- Set this policy to a null value; that is, enable the policy setting, but don't enter named pipes in the text box. This setting will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. ### Location @@ -63,7 +63,7 @@ This section describes different features and tools available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -90,11 +90,11 @@ You can restrict access over named pipes such as COMNAP and LOCATOR to help prev ### Countermeasure -Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but do not specify named pipes in the text box). +Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but don't specify named pipes in the text box). ### Potential impact -This configuration disables null-session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes no longer function. This may break trust between Windows Server 2003 domains in a mixed mode environment. +This configuration disables null-session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes no longer function. This result may break trust between Windows Server 2003 domains in a mixed mode environment. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md index 1f5a821007..7a130c03eb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -41,7 +41,7 @@ To allow remote access, you must also enable the Remote Registry service. ### Best practices -- Set this policy to a null value; that is, enable the policy setting, but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. +- Set this policy to a null value; that is, enable the policy setting, but don't enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. ### Location @@ -80,7 +80,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -92,7 +92,7 @@ The registry contains sensitive device configuration information that could be u ### Countermeasure -Configure the **Network access: Remotely accessible registry paths and sub-paths** setting to a null value (enable the setting but do not enter any paths in the text box). +Configure the **Network access: Remotely accessible registry paths and sub-paths** setting to a null value (enable the setting but don't enter any paths in the text box). ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md index fe4a3d425e..746ada8c10 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md @@ -40,7 +40,7 @@ To allow remote access, you must also enable the Remote Registry service. ### Best practices -- Set this policy to a null value; that is, enable the policy setting but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. +- Set this policy to a null value; that is, enable the policy setting but don't enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. ### Location @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -83,7 +83,7 @@ An attacker could use information in the registry to facilitate unauthorized act ### Countermeasure -Configure the **Network access: Remotely accessible registry paths** setting to a null value (enable the setting, but do not enter any paths in the text box). +Configure the **Network access: Remotely accessible registry paths** setting to a null value (enable the setting, but don't enter any paths in the text box). ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 57dc9bbbb8..9bc2a12af5 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -40,7 +40,7 @@ Null sessions are a weakness that can be exploited through the various shared fo ### Best practices -- Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those listed in the **NullSessionPipes** and **NullSessionShares** registry entries. +- Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those server pipes and shared folders listed in the **NullSessionPipes** and **NullSessionShares** registry entries. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -81,7 +81,7 @@ Enable the **Network access: Restrict anonymous access to Named Pipes and Shares ### Potential impact -You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries. +You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those server pipes and shared folders that are listed in the NullSessionPipes and NullSessionShares entries. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 9ffa1041c1..9e277a9551 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -2,63 +2,55 @@ title: Network access - Restrict clients allowed to make remote calls to SAM description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security +ms.technology: windows-sec ms.localizationpriority: medium -author: dansimp ms.date: 09/17/2018 +author: dansimp +ms.author: dansimp ms.reviewer: manager: dansimp -ms.author: dansimp -ms.technology: windows-sec --- # Network access: Restrict clients allowed to make remote calls to SAM **Applies to** -- Windows 10, version 1607 and later -- Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/help/4013198) installed -- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed -- Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed -- Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed -- Windows Server 2019 -- Windows Server 2016 -- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed -- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed -- Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed +- Windows 10 +- Windows 8.1 +- Windows Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 -The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. -The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the KB articles listed in **Applies to** section of this topic. +The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. +The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems. -This topic describes the default values for this security policy setting in different versions of Windows. -By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows. -This means that if you have a mix of computers, such as member servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed. +This article describes the default values for this security policy setting in different versions of Windows. +By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows. +This restrictive characteristic means that if you have a mix of computers, such as member servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed. -This topic also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility. +This article also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility. > [!NOTE] > Implementation of this policy [could affect offline address book generation](/troubleshoot/windows-server/group-policy/authz-fails-access-denied-error-application-access-check) on servers running Microsoft Exchange 2016 or Microsoft Exchange 2013. ## Reference -The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. -For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. -This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. +The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. +For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. +This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. -To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. -The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. +To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. +The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. -By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. -If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. -If the policy setting is left blank after the policy is defined, the policy is not enforced. +By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting isn't defined. +If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. +If the policy setting is left blank after the policy is defined, the policy isn't enforced. -The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. +The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators. -The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. -This less restrictive default allows for testing the impact of enabling restrictions on existing applications. +The default security descriptor on computers that run earlier versions of Windows doesn't restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. +This less restrictive default allows for testing the affect of enabling restrictions on existing applications. ## Policy and Registry Names @@ -71,29 +63,30 @@ This less restrictive default allows for testing the impact of enabling restrict | **Registry type** | REG_SZ | | **Registry value** | A string that will contain the SDDL of the security descriptor to be deployed. | -The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. -This is the only option to configure this setting by using a user interface (UI). +The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. +These computers are the only option to configure this setting by using a user interface (UI). -On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. -To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. +On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. +To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. > [!NOTE] -> This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. -> -> For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. +> This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. +> +> For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. ## Default values -Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. -The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. -Administrators can test whether applying the same restriction earlier versions of Windows will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. + +Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. +The different default values help strike a balance where recent Windows versions are more secure by default and older versions don't undergo any disruptive behavior changes. +Administrators can test whether applying the same restriction earlier versions of Windows will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows. -| |Default SDDL |Translated SDDL| Comments | +| |Default SDDL |Translated SDDL| Comments | |---|---|---|---| -|**Windows Server 2016 (or later) domain controller (reading Active Directory)**|“”|-|Everyone has read permissions to preserve compatibility.| +|**Windows Server 2016 (or later) domain controller (reading Active Directory)**|""|-|Everyone has read permissions to preserve compatibility.| |**Earlier domain controller** |-|-|No access check is performed by default.| -|**Windows 10, version 1607 (or later) non-domain controller**|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                        Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                        DACL:
                        • Revision: 0x02
                        • Size: 0x0020
                        • Ace Count: 0x001
                        • Ace[00]-------------------------
                          AceType:0x00
                          (ACCESS\_ALLOWED_ACE_TYPE)
                          AceSize:0x0018
                          InheritFlags:0x00
                          Access Mask:0x00020000
                          AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

                          SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | +|**Windows 10, version 1607 (or later) non-domain controller**|`O:SYG:SYD:(A;;RC;;;BA)`| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                        Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                        DACL:
                        - Revision: 0x02
                        - Size: 0x0020
                        - Ace Count: 0x001
                        - Ace[00]-------------------------
                          AceType:0x00
                          (ACCESS\_ALLOWED_ACE_TYPE)
                          AceSize:0x0018
                          InheritFlags:0x00
                          Access Mask:0x00020000
                          AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

                          SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | |**Earlier non-domain controller** |-|-|No access check is performed by default.| ## Policy management @@ -102,7 +95,7 @@ This section explains how to configure audit-only mode, how to analyze related e ### Audit only mode -Audit only mode configures the SAMRPC protocol to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but SAMRPC will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting. +Audit-only mode configures the SAMRPC protocol to do the access check against the currently configured security descriptor but won't fail the call if the access check fails. Instead, the call will be allowed, but SAMRPC will log an event describing what would have happened if the feature had been enabled. This mode provides administrators a way to test their applications before enabling the policy in production. Audit only mode isn't configured by default. To configure it, add the following registry setting. |Registry|Details| |---|---| @@ -110,16 +103,17 @@ Audit only mode configures the SAMRPC protocol to do the access check against th |Setting|RestrictRemoteSamAuditOnlyMode| |Data Type|REG_DWORD| |Value|1| -|Notes|This setting cannot be added or removed by using predefined Group Policy settings.
                        Administrators may create a custom policy to set the registry value if needed.
                        SAM responds dynamically to changes in this registry value without a reboot.
                        You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.| +|Notes|This setting can't be added or removed by using predefined Group Policy settings. Administrators may create a custom policy to set the registry value if needed. SAM responds dynamically to changes in this registry value without a reboot. | ### Related events There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM: -1. Dump event logs to a common share. -2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. -3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM. -4. Identify which security contexts are enumerating users or groups in the SAM database. -5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string. + +1. Dump event logs to a common share. +1. Right click the System log, select **Filter Current Log**, and specify `16962-16969` in the Event IDs field. +1. Review Event IDs 16962 to 16969, as listed in the following table, with event source **Directory-Service-SAM**. +1. Identify which security contexts are enumerating users or groups in the SAM database. +1. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string. |Event ID|Event Message Text|Explanation | |---|---|---| @@ -127,14 +121,15 @@ There are corresponding events that indicate when remote calls to the SAM are re |16963|Message Text: "Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%n"

                        %1 - "Registry SD String:" |Emit event when a new SDDL is read from the registry (either on startup or change) and is considered valid. The event includes the source and a copy of the queried SDDL. |16964|"The registry security descriptor is malformed: %1.%n Remote calls to the SAM database are being restricted using the default security descriptor: %2.%n"

                        %1- "Malformed SD String:"
                        %2- "Default SD String:"|Emit event when registry SDDL is mal-formed, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL). |16965|Message Text: "A remote call to the SAM database has been denied.%nClient SID: %1%n Network address: %2%n"

                        %1- "Client SID:" %2- "Client Network Address | Emit event when access is denied to a remote client. Event should include identity and network address of the client. -|16966|Audit Mode is enabled-

                        Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. +|16966|Audit Mode is enabled-

                        Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. |16967|Audit Mode is disabled-

                        Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled. |16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n"
                        %1- "Client SID:"
                        %2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.| -|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%n
                        "%1- "Throttle window:"
                        %2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap.

                        Note: There is no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section. +|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1-seconds throttling window.%n
                        "%1- "Throttle window:"
                        %2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap.

                        Note: There's no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section. -Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. +Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. + +### Event throttling -### Event Throttling A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value. |Registry Path|HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ | @@ -143,32 +138,34 @@ Setting |RestrictRemoteSamEventThrottlingWindow| Data Type |DWORD| |Value|seconds| |Reboot Required?|No| -|Notes|**Default** is 900 seconds – 15mins.
                        The throttling uses a suppressed events counter which starts at 0 and gets incremented during the throttling window.
                        For example, X events were suppressed in the last 15 minutes.
                        The counter is restarted after the event 16969 is logged. +|Notes|**Default** is 900 seconds (15 minutes).
                        The throttling uses a suppressed events counter that starts at 0 and gets incremented during the throttling window.
                        For example, X events were suppressed in the last 15 minutes.
                        The counter is restarted after the event 16969 is logged. ### Restart requirement -Restarts are not required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they are saved locally or distributed through Group Policy. +Restarts aren't required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -### Vulnerability -The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans.

                        +### Vulnerability + +The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. + The following example illustrates how an attacker might exploit remote SAM enumeration: + 1. A low-privileged attacker gains a foothold on a network. -2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. -3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials. +2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. +3. If the attacker can, then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to sign in and then steal or impersonate those credentials. ### Countermeasure + You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access. -### Potential impact -If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode). +### Potential affect + +If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode). + +## Next steps -## Related Topics [Security Options](./security-options.md) - -[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b) - -
                        \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index 0e8c62d1a3..8886a5ba0a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -36,7 +36,7 @@ This policy setting determines which shared folders can be accessed by anonymous ### Best practices -- Set this policy to a null value. There should be little impact because this is the default value. All users will have to be authenticated before they can access shared resources on the server. +- Set this policy to a null value. There should be little impact because this null value is the default one. All users will have to be authenticated before they can access shared resources on the server. ### Location @@ -61,7 +61,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -77,7 +77,7 @@ Configure the **Network access: Shares that can be accessed anonymously** settin ### Potential impact -There should be little impact because this is the default configuration. Only authenticated users have access to shared resources on the server. +There should be little impact because this state is the default configuration. Only authenticated users have access to shared resources on the server. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index f4a400c044..c13b8ecea9 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -32,7 +32,7 @@ This policy setting determines how network logons that use local accounts are au >**Note:**  This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used. -When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. +When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This privilege means that they'll probably be unable to write to shared folders. Although this restriction does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. ### Possible values @@ -68,11 +68,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. +With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they don't have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. ### Countermeasure @@ -88,7 +88,7 @@ For network servers, configure the **Network access: Sharing and security model ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 261dd0a213..2b7a73365a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -35,9 +35,9 @@ When a service connects with the device identity, signing and encryption are sup | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | | - | - | - | -| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | -| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| -|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| +| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This behavior is the default behavior. | +| Disabled| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. This behavior is the default behavior.| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously.| +|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.| ### Location @@ -61,17 +61,17 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations -The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This will increase the success of interoperability at the expense of security. +The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This privilege will increase the success of interoperability at the expense of security. The anonymous authentication behavior is different for Windows Server 2008 and Windows Vista than later versions of Windows. Configuring and applying this policy setting on those systems might not produce the same results. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -89,7 +89,7 @@ You can configure the **Network security: Allow Local System to use computer ide ### Potential impact -If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. +If you don't configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that uses the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index 401a588948..271d990f14 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for ## Reference This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local -System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. +System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session doesn't establish a unique session key for each authentication; and thus, it can't provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. ### Possible values @@ -41,13 +41,13 @@ System will fall back to using NULL session authentication when they transmit da When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a NULL session will still have full use of session security. -- Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise. +- Not defined. When this policy isn't defined, the default takes effect. This policy is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it's Disabled otherwise. ### Best practices -When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. +When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection isn't provided. However, you'll need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. -This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2 and later. +This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it's disabled in Windows 7 and Windows Server 2008 R2 and later. ### Location @@ -74,11 +74,11 @@ If this setting is Enabled, when a service connects with a NULL session, a syste ### Countermeasure -You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. +You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that isn't possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. ### Potential impact -If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption. +If you enable this policy, services that use NULL session with Local System could fail to authenticate because they'll be prohibited from using signing and encryption. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 1c229713a8..093d8db29f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -27,18 +27,18 @@ This article describes the best practices, location, and values for the **Networ ## Reference -Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. +From Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. -When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to sign in. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the sign-in peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes. > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. +This policy isn't configured by default on domain-joined devices. This disablement would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. ### Possible values -- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship by using online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the sign-in peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes. > [!NOTE] > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. @@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD-joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Azure AD-joined devices, where they're signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. ### Countermeasure @@ -83,9 +83,9 @@ Set this policy to *Disabled* or don't configure this security policy for *on-pr ### Potential impact -If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. +If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This disablement is a valid configuration in *on-premises only* environments. Some roles/features (such as Failover Clustering) don't utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. -If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work. +If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. If this policy isn't enabled, remote connections to an Azure AD joined device won't work. ### Fix/Remediation diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index bcaef6d811..afe9be35da 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -37,11 +37,11 @@ The following table lists and explains the allowed encryption types. | Encryption type | Description and version support | | - | - | | DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
                        Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | -| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
                        Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems do not support DES by default. | +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
                        Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | | RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
                        Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.| | AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
                        Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | | AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
                        Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | -| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.| +| Future encryption types| Reserved by Microsoft for other encryption types that might be implemented.| ### Possible values @@ -55,7 +55,7 @@ The encryption type options include: - AES256\_HMAC\_SHA1 - Future encryption types - As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented. + As of the release of Windows 7 and Windows Server 2008 R2, these options are reserved by Microsoft for other encryption types that might be implemented. ### Best practices @@ -72,9 +72,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec | Default domain policy| Not defined| | Default domain controller policy| Not defined| | Stand-alone server default settings | Not defined| -| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.| -| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.| -| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.| +| Domain controller effective default settings | The default OS setting applies, DES suites aren't supported by default.| +| Member server effective default settings | The default OS setting applies, DES suites aren't supported by default.| +| Effective GPO default settings on client computers | The default OS setting applies, DES suites aren't supported by default.| ## Security considerations @@ -87,14 +87,14 @@ Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES fo ### Countermeasure -Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7, and Windows 10 to use the AES or RC4 cryptographic suites. +Don't configure this policy. This disablement will force the computers running Windows Server 2008 R2, Windows 7, and Windows 10 to use the AES or RC4 cryptographic suites. ### Potential impact If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. -If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. +If you do select any encryption type, you'll lower the effectiveness of encryption for Kerberos authentication but you'll improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index ebf155ba56..e0ecaddc05 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm. To decrypt the hash value, the encryption algorithm must be determined and then reversed. The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked. -By attacking the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting will not prevent these types of attacks, but it will make them much more difficult. +When the attackers attack the SAM file, they can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting won't prevent these types of attacks, but it will make them much more difficult. ### Possible values @@ -40,7 +40,7 @@ By attacking the SAM file, attackers can potentially gain access to user names a ### Best practices - Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**. - - Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + - Require all users to set new passwords the next time they sign in to the domain so that LAN Manager hashes are removed. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -73,11 +73,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks are not prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it is much more difficult for these attacks to succeed. +The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks aren't prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it's much more difficult for these attacks to succeed. ### Countermeasure -Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. +Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they sign in to the domain so that LAN Manager hashes are removed. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index daab389419..3bc3ec584c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -27,25 +27,25 @@ Describes the best practices, location, values, policy management, and security ## Reference -This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. +This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid sign-in hours. This setting affects the Server Message Block (SMB) component. -This policy setting does not apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there is a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings are not applied to member devices. +This policy setting doesn't apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it's enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there's a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings aren't applied to member devices. ### Possible values - Enabled - When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. + When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's sign-in hours expire. - Disabled - When disabled, this policy allows for the continuation of an established client session after the client's logon hours have expired. + When disabled, this policy allows for the continuation of an established client session after the client's sign-in hours have expired. - Not defined ### Best practices -- Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's logon time expires, and the user will be unable to log on to the system until their next scheduled access time begins. +- Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's sign-in time expires, and the user will be unable to sign in to the system until their next scheduled access time begins. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,15 +78,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you disable this policy setting, users can remain connected to the computer outside of their allotted logon hours. +If you disable this policy setting, users can remain connected to the computer outside of their allotted sign-in hours. ### Countermeasure -Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting does not apply to administrator accounts. +Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting doesn't apply to administrator accounts. ### Potential impact -When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences. +When a user's sign-in time expires, SMB sessions terminate. The user can't sign in to the device until the next scheduled access time commences. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index fcd510671f..1841669403 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -27,15 +27,15 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). +This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol isn't negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). -LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: +LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it's the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to domains based on earlier versions of the Windows operating system -- Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000 -- Authenticate to computers that are not in the domain +- Authenticate to computers that don't run Windows operating systems, beginning with Windows 2000 +- Authenticate to computers that aren't in the domain ### Possible values @@ -56,8 +56,8 @@ authentication level that servers accept. The following table identifies the pol | Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1| | Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2| | Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3| -| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.| 4| -| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.| 5| +| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4| +| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5| ### Best practices @@ -90,7 +90,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -106,11 +106,11 @@ In Windows 7 and Windows Vista, this setting is undefined. In Windows Server ### Countermeasure -Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. +Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and many independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. ### Potential impact -Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM. +Client devices that don't support NTLMv2 authentication can't authenticate in the domain and access domain resources by using LM and NTLM. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 006e925460..1f59bd9111 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -30,8 +30,8 @@ This security policy reference topic for the IT professional describes the best This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list: - **None**. The LDAP BIND request is issued with the caller-specified options. -- **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. -- **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. +- **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) hasn't been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. +- **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response doesn't indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. @@ -44,7 +44,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob ### Best practices -- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. +- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This prevention can cause many features to fail, including user authentication, Group Policy, and logon scripts. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -81,7 +81,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers. +Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks difficult if you require digital signatures on all network packets throughs IPsec authentication headers. ### Countermeasure @@ -89,7 +89,7 @@ Configure the **Network security: LDAP client signing requirements** setting to ### Potential impact -If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**. +If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that don't require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index d606dc935b..026f314358 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -33,13 +33,13 @@ Setting all of these values for this policy setting will help protect network tr ### Possible values -- Require 128-bit encryption. The connection fails if strong encryption (128-bit) is not negotiated. -- Require NTLMv2 session security. The connection fails if the NTLMv2 protocol is not negotiated. +- Require 128-bit encryption. The connection fails if strong encryption (128-bit) isn't negotiated. +- Require NTLMv2 session security. The connection fails if the NTLMv2 protocol isn't negotiated. - Not Defined. ### Best practices -- Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server. +- Enable all values that are available for this security policy. Legacy client devices that don't support these policy settings will be unable to communicate with the server. ### Location @@ -64,7 +64,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy dependencies @@ -84,7 +84,7 @@ Enable all options that are available for the **Network security: Minimum sessio ### Potential impact -Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set. +Older client devices that don't support these security settings can't communicate with the computer on which this policy is set. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index bf5804a540..828f91f36b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -31,7 +31,7 @@ The **Network security: Restrict NTLM: Add remote server exceptions for NTLM aut If you configure this policy setting, you can define a list of remote servers to which client devices are allowed to use NTLM authentication. -If you do not configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. +If you don't configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. List the NetBIOS server names that are used by the applications as the naming format, one per line. To ensure exceptions, the names that are used by all applications need to be in the list. A single asterisk (\*) can be used anywhere in the string as a wildcard character. @@ -43,7 +43,7 @@ List the NetBIOS server names that are used by the applications as the naming fo - Not defined - If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + If you don't configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. ### Best practices @@ -72,7 +72,7 @@ This section describes the features and tools that are available to help you man ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -90,7 +90,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: +When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. @@ -98,13 +98,13 @@ If you define an exception list of servers to which client devices are allowed t ### Countermeasure When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote -servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. +servers in your environment. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. ### Potential impact -Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this might result in a security vulnerability. +Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this traffic might result in a security vulnerability. -If this list is not defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they have previously used. +If this list isn't defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they've previously used. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 5fb535995e..41ca2e0bee 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -27,11 +27,11 @@ Describes the best practices, location, values, management aspects, and security ## Reference -The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. +The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client devices are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. If you configure this policy setting, you can define a list of servers in this domain to which client devices are allowed to use NTLM authentication. -If you do not configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. +If you don't configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. List the NetBIOS server names as the naming format, one per line. A single asterisk (\*) can be used anywhere in the string as a wildcard character. @@ -43,7 +43,7 @@ List the NetBIOS server names as the naming format, one per line. A single aster - Not defined - If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + If you don't configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. ### Best practices @@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: +When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security @@ -97,14 +97,13 @@ weaknesses in NTLM. ### Countermeasure -When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a -case-by-case basis if NTLM authentication still minimally meets your security requirements. +When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. ### Potential impact Defining a list of servers for this policy setting will enable NTLM authentication traffic between those servers might result in a security vulnerability. -If this list is not defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they have previously used +If this list isn't defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they've previously used ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 47b963ab2a..d1310a007d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -29,18 +29,18 @@ Describes the best practices, location, values, management aspects, and security The **Network Security: Restrict NTLM: Audit incoming NTLM traffic** policy setting allows you to audit incoming NTLM traffic. -When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. +When this audit policy is enabled within Group Policy, it's enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. When you enable this policy on a server, only authentication traffic to that server will be logged. -When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the -authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. +When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the +authentication traffic in your environment, and when you're ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. ### Possible values - Disable - The server on which this policy is set will not log events for incoming NTLM traffic. + The server on which this policy is set won't log events for incoming NTLM traffic. - Enable auditing for domain accounts @@ -52,7 +52,7 @@ authentication traffic in your environment, and when you are ready to block that - Not defined - This is the same as **Disable**, and it results in no auditing of NTLM traffic. + This state of not being defined is the same as **Disable**, and it results in no auditing of NTLM traffic. ### Best practices @@ -95,11 +95,11 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability -Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. +Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting doesn't prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure @@ -107,7 +107,7 @@ Restrict access to the log files when this policy setting is enabled in your pro ### Potential impact -If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. +If you don't enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index bdbf0e528d..9132d60c97 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -31,25 +31,29 @@ The **Network Security: Restrict NTLM: Audit NTLM authentication in this domain* When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged. -When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. +When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you're ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. ### Possible values - **Disable** - The domain controller on which this policy is set will not log events for incoming NTLM traffic. + The domain controller on which this policy is set won't log events for incoming NTLM traffic. - **Enable for domain accounts to domain servers** - The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. + The domain controller on which this policy is set will log events for NTLM authentication sign-in attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. - **Enable for domain accounts** - The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. + The domain controller will log events for NTLM authentication sign-in attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. -- Not defined +- **Enable for domain servers** - This is the same as **Disable** and results in no auditing of NTLM traffic. + The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**. + +- **Enable all** + + The domain controller on which this policy is set will log all events for incoming NTLM traffic. ### Best practices @@ -92,19 +96,19 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability -Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. +Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting doesn't prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure Restrict access to the log files when this policy setting is enabled in your production environment. ### Potential impact -If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. +If you don't enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index cbcc2e7d66..2bb128f669 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -37,20 +37,20 @@ The **Network Security: Restrict NTLM: Incoming NTLM traffic** policy setting al - **Deny all domain accounts** - The server will deny NTLM authentication requests for domain logon, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account logon. + The server will deny NTLM authentication requests for domain sign in, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account sign in. - **Deny all accounts** - The server will deny NTLM authentication requests from all incoming traffic (whether domain account logon or local account logon), return an NTLM blocked error message to the client device, and log the error. + The server will deny NTLM authentication requests from all incoming traffic (whether domain account sign in or local account sign in), return an NTLM blocked error message to the client device, and log the error. - Not defined - This is the same as **Allow all**, and the server will allow all NTLM authentication requests. + This state of not being defined is the same as **Allow all**, and the server will allow all NTLM authentication requests. ### Best practices -If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It is better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM. +If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It's better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and then what client applications are using NTLM. ### Location @@ -89,7 +89,7 @@ There are no Security Audit Event policies that can be configured to view event This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability @@ -97,7 +97,7 @@ Malicious attacks on NTLM authentication traffic that result in a compromised se ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. +When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 0c1396e74f..2589d1f95d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, management aspects, and security ## Reference -The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller. +The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting doesn't affect interactive logon to this domain controller. ### Possible values @@ -36,17 +36,17 @@ The **Network Security: Restrict NTLM: NTLM authentication in this domain** poli - **Deny for domain accounts to domain servers** - The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + The domain controller will deny all NTLM authentication sign-in attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. - NTLM can be used if the users are connecting to other domains. This depends on if any Restrict NTLM policies have been set on those domains. + NTLM can be used if the users are connecting to other domains, depending on whether any Restrict NTLM policies have been set on those domains. - **Deny for domain accounts** - Only the domain controller will deny all NTLM authentication logon attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + Only the domain controller will deny all NTLM authentication sign-in attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. - **Deny for domain servers** - The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that are not joined to the domain will not be affected if this policy setting is configured. + The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that aren't joined to the domain won't be affected if this policy setting is configured. - **Deny all** @@ -97,7 +97,7 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability @@ -105,7 +105,7 @@ Malicious attacks on NTLM authentication traffic resulting in a compromised serv ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage +When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index f53a1e1665..57d8b13de1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/15/2022 ms.technology: windows-sec --- @@ -25,6 +25,10 @@ ms.technology: windows-sec Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. + +> [!NOTE] +> For more information about configuring a server to be accessed remotely, see [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access). + ## Reference The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. @@ -39,19 +43,19 @@ The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** - **Audit all** - The device that sends the NTLM authentication request to a remote server logs an event for each request. This allows you to identify those servers that receive NTLM authentication requests from the client device + The device that sends the NTLM authentication request to a remote server logs an event for each request. This event allows you to identify those servers that receive NTLM authentication requests from the client device. - **Deny all** - The device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. + The device can't authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. - Not defined - This is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. + This state of being not defined is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. ### Best practices -If you select **Deny all**, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. +If you select **Deny all**, the client device can't authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. ### Location @@ -90,7 +94,7 @@ There are no security audit event policies that can be configured to view event This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability @@ -98,7 +102,7 @@ Malicious attacks on NTLM authentication traffic that result in a compromised se ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. +When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 74efe115ae..5bcf16ede3 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -31,7 +31,7 @@ The **Passwords must meet complexity requirements** policy setting determines wh 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: @@ -45,11 +45,11 @@ The **Passwords must meet complexity requirements** policy setting determines wh Complexity requirements are enforced when passwords are changed or created. -The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified. +The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they can't be directly modified. When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it. -Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0). +Other settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0). ### Possible values @@ -64,9 +64,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible. -The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.) +The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that don't add more complexity to the password.) -Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and/or meet complexity requirements. +Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this vulnerability, passwords should contain other characters and/or meet complexity requirements. ### Location @@ -95,7 +95,7 @@ Passwords that contain only alphanumeric characters are easy to discover with se ### Countermeasure -Configure the **Passwords must meet complexity requirements** policy setting to _Enabled_ and advise users to use a variety of characters in their passwords. +Configure the **Passwords must meet complexity requirements** policy setting to _Enabled_ and advise users to use various characters in their passwords. When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it's difficult (but possible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.) diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index 514e1a9ea7..fb0e337c6b 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -65,7 +65,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 599cb50810..c0fb47def4 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -64,7 +64,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are logged on to a computer. +The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are signed in to a computer. ### Countermeasure @@ -93,7 +93,7 @@ Ensure that only the local Administrators group is assigned the **Profile single ### Potential impact -If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. +If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index 47f372d723..8eeabdcf30 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -64,7 +64,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index c188b74c08..ce9ada3153 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required. -The Recovery Console can be useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. +The Recovery Console can be useful when troubleshooting and repairing systems that can't be restarted. However, enabling this policy setting so a user can automatically sign in to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. ### Possible values @@ -39,15 +39,15 @@ The Recovery Console can be useful when troubleshooting and repairing systems th - Disabled - Automatic administrative logon is not allowed. + Automatic administrative logon isn't allowed. - Not defined - Automatic administrative logon is not allowed. + Automatic administrative logon isn't allowed. ### Best practices -- Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This requires a user to enter a user name and password to access the Recovery Console account. +- Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This setting requires a user to enter a user name and password to access the Recovery Console account. ### Location @@ -72,7 +72,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -88,7 +88,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The Recovery Console can be very useful when you must troubleshoot and repair device that do not start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server. +The Recovery Console can be useful when you must troubleshoot and repair devices that don't start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index c06d6f180c..9c9c56c5db 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -34,7 +34,7 @@ This policy setting enables or disables the Recovery Console SET command, which - **AllowRemovableMedia**. Allows files to be copied to removable media, such as a floppy disk. - **NoCopyPrompt**. Suppresses the prompt that typically displays before an existing file is overwritten. -You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This causes the server's network services to be unavailable. +You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This boot causes the server's network services to be unavailable. ### Possible values @@ -44,7 +44,7 @@ You might forget to remove removable media, such as CD or floppy disk, with sens ### Best practices -- Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk. +- Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account won't be able to copy files and folders to a floppy disk. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -86,7 +86,7 @@ Enabling this security option makes the Recovery Console SET command available, - AllowWildCards: Enable wildcard support for some commands (such as the DEL command). - AllowAllPaths: Allow access to all files and folders on the device. - AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. -- NoCopyPrompt: Do not prompt when overwriting an existing file. +- NoCopyPrompt: Don't prompt when overwriting an existing file. ## Security considerations @@ -102,7 +102,7 @@ Disable the **Recovery console: Allow floppy copy and access to drives and folde ### Potential impact -Users who have started a server through the Recovery Console and logged in with the built-in Administrator account cannot copy files and folders to a floppy disk. +Users who have started a server through the Recovery Console and logged in with the built-in Administrator account can't copy files and folders to a floppy disk. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index 4508560bdc..b42bad16dd 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines whether a user can undock a portable device from its docking station without logging on. This policy setting only affects scenarios that involve a portable computer and its docking station. -If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must log on before removing the portable device from its docking station. Otherwise, as a security measure, the user will not be able to log on after the device is removed from the docking station. If this policy is not assigned, the user may remove the portable device from its docking station without logging on, and then have the ability to start and log on to the device afterwards in its undocked state. +If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must sign in before removing the portable device from its docking station. Otherwise, as a security measure, the user won't be able to sign in after the device is removed from the docking station. If this policy isn't assigned, the user may remove the portable device from its docking station without signing in, and then have the ability to start and sign in to the device afterwards in its undocked state. Constant: SeUndockPrivilege @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -Although this portable device scenario does not normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers. +Although this portable device scenario doesn't normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. @@ -65,7 +65,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -86,10 +86,10 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Anyone who has the **Remove computer from docking station** user right can log on and then remove a portable device from its docking station. If this setting is not defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors: +Anyone who has the **Remove computer from docking station** user right can sign in and then remove a portable device from its docking station. If this setting isn't defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors: - If attackers can restart the device, they could remove it from the docking station after the BIOS starts but before the operating system starts. -- This setting does not affect servers because they typically are not installed in docking stations. +- This setting doesn't affect servers because they typically aren't installed in docking stations. - An attacker could steal the device and the docking station together. - Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. @@ -99,7 +99,7 @@ Ensure that only the local Administrators group and the user account to which th ### Potential impact -By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users are not members of the local Administrators groups on their portable devices, they cannot remove their portable devices from their docking stations if they do not first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices. +By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users aren't members of the local Administrators groups on their portable devices, they can't remove their portable devices from their docking stations if they don't first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 87951d31f4..51f96f1875 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). +The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to sign in before the failed sign-in attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). -The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls. +The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through sign-in errors. Users may make excessive Help Desk calls. ### Possible values @@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). ### Location @@ -73,7 +73,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the ### Potential impact -If you do not configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to log on to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to log on after a failed logon within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk. +If you don't configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to sign in to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to sign in after a failed sign in within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index a1d965558b..012a47736e 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. -This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you cannot configure are not described in this reference. +This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you can't configure aren't described in this reference. Each policy setting described contains referential content such as a detailed explanation of the settings, best practices, default settings, differences between operating system versions, policy management considerations, and security considerations that include a discussion of vulnerability, countermeasures, and potential impact of those countermeasures. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index a0a8270da7..b7c8b59b5f 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -23,10 +23,11 @@ ms.technology: windows-sec **Applies to** - Windows 10 +- Windows 11 This reference topic describes the common scenarios, architecture, and processes for security settings. -Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. +Security policy settings are rules that administrators configure on a computer or multiple devices for protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. Security settings can control: @@ -44,7 +45,7 @@ For more info about managing security configurations, see [Administer security p The Security Settings extension of the Local Group Policy Editor includes the following types of security policies: -- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies: +- **Account Policies.** These policies are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies: - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts. - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts. @@ -57,15 +58,15 @@ The Security Settings extension of the Local Group Policy Editor includes the fo > [!NOTE] > For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies. - - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device - - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. + - **User Rights Assignment.** Specify the users or groups that have sign-in rights or privileges on a device + - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; sign-in prompts; and so on. - **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network. - **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. - **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings. - **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site. - **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files. -- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. +- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks by using cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. - **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies. ## Policy-based security settings management @@ -87,7 +88,7 @@ Importing a security template to a GPO ensures that any accounts to which the GP > [!NOTE] > These refresh settings vary between versions of the operating system and can be configured. -By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future. +By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update many servers with any other changes required in the future. ### Dependencies on other operating system technologies @@ -95,7 +96,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Active Directory Domain Services (AD DS)** - The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon. + The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single sign in. - **Group Policy** @@ -103,7 +104,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Domain Name System (DNS)** - A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. + A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This service allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. - **Winlogon** @@ -115,11 +116,11 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Security Accounts Manager (SAM)** - A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs. + A Windows service used during the sign-in process. SAM maintains user account information, including groups to which a user belongs. - **Local Security Authority (LSA)** - A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. + A protected subsystem that authenticates and signs in users to the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. - **Windows Management Instrumentation (WMI)** @@ -127,7 +128,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Resultant Set of Policy (RSoP)** - An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. + An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. These public methods allow administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. - **Service Control Manager (SCM)** @@ -189,11 +190,11 @@ The following list describes these primary features of the security configuratio - **scesrv.dll** - This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. + This .dll file is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry. - Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not. + Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it isn't. Communication between parts of the Security Settings extension occurs by using the following methods: @@ -210,7 +211,7 @@ The following list describes these primary features of the security configuratio - **Scecli.dll** - This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. + This Scecli.dll is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It's used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll. @@ -228,7 +229,7 @@ The following list describes these primary features of the security configuratio - **Secedit.sdb** - This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. + This Secedit.sdb is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. - **User databases** @@ -236,7 +237,7 @@ The following list describes these primary features of the security configuratio - **.Inf Templates** - These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation. + These templates are text files that contain declarative security settings. They're loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they're downloaded (by using file copy) and merged into the system database during policy propagation. ## Security settings policy processes and interactions @@ -244,27 +245,27 @@ For a domain-joined device, where Group Policy is administered, security setting ### Group Policy processing -When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence: +When a computer starts and a user signs in, computer policy and user policy are applied according to the following sequence: 1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. 1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors: - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory. - The location of the device in Active Directory. - - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects hasn't changed, no processing is done. -1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. -1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. -1. The user presses CTRL+ALT+DEL to log on. -1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect. +1. Computer policy is applied. These settings are the ones under Computer Configuration from the gathered list. This process is a synchronous one by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. +1. Startup scripts run. These scripts are hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. +1. The user presses CTRL+ALT+DEL to sign in. +1. After the user is validated, the user profile loads; it's governed by the policy settings that are in effect. 1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors: - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory. - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting. - The location of the user in Active Directory. - - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects hasn't changed, no processing is done. -1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. +1. User policy is applied. These settings are the ones under User Configuration from the gathered list. These settings are synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. 1. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last. 1. The operating system user interface that is prescribed by Group Policy appears. @@ -296,7 +297,7 @@ Group Policy settings are processed in the following order: 1. **Domain.** - Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy. + Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you specify. 1. **Organizational units.** @@ -306,7 +307,7 @@ At the level of each organizational unit in the Active Directory hierarchy, one, This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects. -This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. For more information see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](/archive/blogs/musings_of_a_technical_tam/group-policy-basics-part-2-understanding-which-gpos-to-apply). +This order is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they can't be blocked. For more information, see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](/archive/blogs/musings_of_a_technical_tam/group-policy-basics-part-2-understanding-which-gpos-to-apply). ### Security settings policy processing @@ -333,9 +334,9 @@ The following figure illustrates the security settings policy processing. ### Merging of security policies on domain controllers -Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: +Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This merging is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: -- Network Security: Force logoff when logon hours expire +- Network Security: Force sign out when sign-in hours expire - Accounts: Administrator account status - Accounts: Guest account status - Accounts: Rename administrator account @@ -349,11 +350,11 @@ If an application is installed on a primary domain controller (PDC) with operati ### When security settings are applied -After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: +After you've edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: - When a device is restarted. - Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable. -- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed. +- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO hasn't changed. ### Persistence of security settings policy @@ -361,11 +362,11 @@ Security settings can persist even if a setting is no longer defined in the poli Security settings might persist in the following cases: -- The setting has not been previously defined for the device. +- The setting hasn't been previously defined for the device. - The setting is for a registry security object. - The settings are for a file system security object. -All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. +All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value doesn't exist in the database, then the setting doesn't revert to anything and remains defined as is. This behavior is sometimes referred to as "tattooing". Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values. @@ -376,7 +377,7 @@ Both Apply Group Policy and Read permissions are required to have the settings f ### Filtering security policy -By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. +By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or won't have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. > [!NOTE] > Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it. @@ -385,9 +386,9 @@ By default, all GPOs have Read and Apply Group Policy both Allowed for the Authe In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings. -Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs is not as simple as taking a folder and copying it from one device to another. +Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs isn't as simple as taking a folder and copying it from one device to another. -The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another. +The following security policies can contain security principals and might require some more work to successfully move them from one domain to another. - User rights assignment - Restricted groups @@ -396,7 +397,7 @@ The following security policies can contain security principals and might requir - Registry - The GPO DACL, if you choose to preserve it during a copy operation -To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. +To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When there's a migration of a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. ## In this section @@ -404,4 +405,4 @@ To ensure that data is copied correctly, you can use Group Policy Management Con | - | - | | [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.| | [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.| -| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.| \ No newline at end of file +| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.| diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index 57374f2aa8..597fe3f069 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines if a user who is logged on locally to a device can shut down Windows. -Shutting down domain controllers makes them unable to do things like process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing logon requests for new passwords, which are done by the primary domain controller (PDC) emulator master. +Shutting down domain controllers makes them unable to do things like process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing sign-in requests for new passwords, which are done by the primary domain controller (PDC) emulator master. The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown. @@ -44,7 +44,7 @@ Constant: SeShutdownPrivilege ### Best practices 1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected. -2. The ability to shut down domain controllers should be limited to a small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller. +2. The ability to shut down domain controllers should be limited to a few trusted administrators. Even though a system shutdown requires the ability to sign in to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller. ### Location @@ -69,13 +69,13 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ### Group Policy -This user right does not have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md). +This user right doesn't have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md). Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: @@ -92,11 +92,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be careful about which accounts and groups you allow to shut down a domain controller. +The ability to shut down domain controllers should be limited to a few trusted administrators. Although the **Shut down the system** user right requires the ability to sign in to the server, you should be careful about which accounts and groups you allow to shut down a domain controller. -When a domain controller is shut down, it can't process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which are performed by the PDC master. +When a domain controller is shut down, it can't process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing sign-in requests for new passwords, which are performed by the PDC master. -For other server roles, especially roles where non-administrators have rights to log on to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers. +For other server roles, especially roles where non-administrators have rights to sign in to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index 4cada523db..185bbf975e 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. On a running device, this paging file is opened exclusively by the operating system, and it is well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown. +This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they aren't used. On a running device, this paging file is opened exclusively by the operating system, and it's well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file isn't available to an unauthorized user who manages to directly access the paging file after shutdown. -Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source. +Important information that is kept in real memory might be written periodically to the paging file. This periodical write-operation helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This process is a time-consuming one, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by unplugging the server from its power source. ### Possible values @@ -42,7 +42,7 @@ Important information that is kept in real memory might be written periodically ### Best practices -- Set this policy to **Enabled**. This causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment. +- Set this policy to **Enabled**. This policy setting causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment. ### Location @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -85,7 +85,7 @@ Enable the **Shutdown: Clear virtual memory page file** setting. This configurat ### Potential impact -It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment. +It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations, this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index d5ebfdefe1..b720770fd9 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -23,7 +23,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). @@ -34,7 +34,7 @@ This policy setting determines whether SMB packet signing must be negotiated bef Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. @@ -85,7 +85,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -95,7 +95,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -112,9 +112,9 @@ In highly secure environments, we recommend that you configure all of these sett ### Potential impact -Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index b1dc905ad5..b912861503 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -22,7 +22,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-always.md). @@ -32,7 +32,7 @@ The Server Message Block (SMB) protocol provides the basis for Microsoft file an Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client computer won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. @@ -84,7 +84,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -95,7 +95,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -106,16 +106,16 @@ Configure the settings as follows: - Enable **Microsoft network client: Digitally sign communications (if server agrees)**. - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). -In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. +In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. > [!NOTE] > An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. ### Potential impact -Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index e091179e64..49782f3f58 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -23,7 +23,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. Fore more information, see [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). @@ -34,9 +34,9 @@ This policy setting determines whether SMB packet signing must be negotiated bef Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). +For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set won't be able to communicate with devices that don't have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). -If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. @@ -88,7 +88,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -98,7 +98,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -109,15 +109,15 @@ Configure the settings as follows: - Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). -In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. +In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. >**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. ### Potential impact -Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 228cd2ec2b..75a325c3b4 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -23,7 +23,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-always.md). @@ -34,7 +34,7 @@ This policy setting determines whether SMB packet signing must be negotiated bef Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. @@ -87,7 +87,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -97,7 +97,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -108,15 +108,15 @@ Configure the settings as follows: - Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable **Microsoft network server: Digitally sign communications (if client agrees)**. -In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. +In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. >**Note:** An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. ### Potential impact -SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index ea2f55d403..316d4868dd 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information. +The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information. If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. @@ -39,7 +39,7 @@ Information Services (IIS) also requires that you enable this policy setting. ### Best practices -Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers. +Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers. >**Note:**  Do not enable this policy setting unless business requirements outweigh the need to protect password information. @@ -77,7 +77,7 @@ Disable the **Store password using reversible encryption** policy setting. ### Potential impact -If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. +If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This setting presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 88f07c4037..e6e95159e1 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -46,7 +46,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -By default this setting is not defined on domain controllers and on stand-alone servers. +By default this setting isn't defined on domain controllers and on stand-alone servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses. +The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate more attacks or expose sensitive data, such as direct telephone numbers or physical addresses. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index d5dd1f683e..7e0e17cc6d 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password. -Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally-stored user keys, even if the attacker takes control of the user's device and determines their logon password. +Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally stored user keys, even if the attacker takes control of the user's device and determines their sign-in password. ### Possible values @@ -40,7 +40,7 @@ Configuring this policy setting so that users must provide a password every time ### Best practices -- Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they will be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**. +- Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they'll be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -77,11 +77,11 @@ If a user's account is compromised or the user's device is inadvertently left un ### Countermeasure -Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the logon password. +Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the sign-in password. ### Potential impact -Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they are forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**. +Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they're forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index e98291ef6b..e38443c02b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -57,7 +57,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP ### Best practices -We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode. +We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode. For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). @@ -82,11 +82,11 @@ The following table lists the actual and effective default values for this polic When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX. -When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to versions listed in the following: +When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to the following versions: | Operating systems | Applicability | | - | - | -| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password cannot be used on other systems listed in this table.| +| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.| | Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| | Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| | Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| @@ -97,7 +97,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -117,8 +117,8 @@ Enable the **System cryptography: Use FIPS compliant algorithms for encryption, ### Potential impact -Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool -uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms. +Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool +uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 3a9ceb4840..9c7c2c4433 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is not case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting does not allow the Win32 subsystem to become case sensitive. +This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem isn't case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting doesn't allow the Win32 subsystem to become case sensitive. -Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting is not enforced, it is possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available. +Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting isn't enforced, it's possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That convention might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available. ### Possible values @@ -39,13 +39,13 @@ Because Windows is case insensitive but the POSIX subsystem will support case se - Disabled - Will not allow the Win32 subsystem to become case sensitive. + Won't allow the Win32 subsystem to become case sensitive. - Not defined ### Best practices -- Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system. +- Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this insensitivity might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index abd9724c03..71e2fa8221 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -1,6 +1,6 @@ --- -title: System objects Strengthen default permissions of internal system objects (e.g., Symbolic Links) (Windows 10) -description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links). +title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links) (Windows 10) +description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (for example, Symbolic Links). ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: ms.author: dansimp @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create. +This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. The processes use this list to locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who aren't administrators to read, but not to modify, shared objects that they didn't create. ### Possible values @@ -37,7 +37,7 @@ This policy setting determines the strength of the default discretionary access ### Best practices -- It is advisable to set this policy to **Enabled**. +- It's advisable to set this policy to **Enabled**. ### Location @@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -70,7 +70,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create. +This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it's possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they didn't create. ### Countermeasure @@ -78,7 +78,7 @@ Enable the **System objects: Strengthen default permissions of global system obj ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index a271d9f87f..8db727008d 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines which subsystems support your applications. You can use this security setting to specify as many subsystems as your environment demands. -The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then logs out, the next user who logs on to the system might access the process that the previous user started. This is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics. +The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then signs out, the next user who signs in to the system might access the process that the previous user started. This pattern is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This privileges rollover makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics. ### Possible values @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -73,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX subsystem is required if the server supports applications that use that subsystem. -The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user. +The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across sign-ins. If a user starts a process and then signs out, there's a potential that the next user who signs in to the computer could access the previous user's process. This accessibility would allow the second user to take actions on the process by using the privileges of the first user. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index 9791d8a12d..e58a8d0925 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index c4781f258c..b3272708b2 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -31,7 +31,7 @@ This policy setting determines which users can take ownership of any securable o Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted. -By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object. +By default, the owner is the person who or the process that created the object. Owners can always change permissions to objects, even when they're denied all access to the object. Constant: SeTakeOwnershipPrivilege @@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 16e00a82f8..d6d32d8a08 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c ## Reference This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. -When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**. +When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode isn't enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**. > [!NOTE] > If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled. @@ -40,11 +40,11 @@ When the Admin Approval Mode is enabled, the local administrator account functio - Disabled - If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges + If Admin Approval Mode isn't enabled, the built-in Administrator account runs all applications by default with full administrative privileges ### Best practices -- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) +- It's recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK. @@ -74,7 +74,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer is not joined to a domain, the first user account you create has the equivalent permissions of a local administrator. +One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer isn't joined to a domain, the first user account you create has the equivalent permissions of a local administrator. ### Countermeasure @@ -90,7 +90,7 @@ Enable the **User Account Control: Admin Approval Mode for the Built-in Administ ### Potential impact -Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege. +Users who sign in by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege. ## Related topics - [Security Options](/windows/device-security/security-policy-settings/security-options) \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 8526a457ae..4ade31f9ed 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -91,7 +91,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -99,7 +99,7 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep ### Policy interactions -If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. +If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it's configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. ## Security considerations @@ -107,13 +107,13 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths: +UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This requests-appearance increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths: - ..\\Program Files\\ (and subfolders) - ..\\Program Files (x86)\\ (and subfolders, in 64-bit versions of Windows only) - ..\\Windows\\System32\\ -The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it is used primarily in certain Windows Remote Assistance scenarios. +The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it's used primarily in certain Windows Remote Assistance scenarios. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index e653550846..06252b3d4a 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -33,9 +33,9 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Elevate without prompting** - Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required. + Assumes that the administrator will permit an operation that requires elevation, and more consent or credentials aren't required. - **Note**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + **Note**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. - **Prompt for credentials on the secure desktop** @@ -55,18 +55,18 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Prompt for consent for non-Windows binaries** - This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + This prompt for consent is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. -\*If you have enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**. +\*If you've enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**. > [!NOTE] > After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. ### Best practices -- Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. +- Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. -- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) +- It's recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For more information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) ### Location @@ -90,7 +90,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -110,7 +110,7 @@ Configure the **User Account Control: Behavior of the elevation prompt for admin ### Potential impact -Administrators should be made aware that they will be prompted for consent when all binaries attempt to run. +Administrators should be made aware that they'll be prompted for consent when all binaries attempt to run. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 48f2dfa8c7..dcc2829197 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -37,7 +37,7 @@ This policy setting determines the behavior of the elevation prompt for standard - **Prompt for credentials on the secure desktop** - This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + This prompt for credentials is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Prompt for credentials** @@ -45,8 +45,8 @@ This policy setting determines the behavior of the elevation prompt for standard ### Best practices -1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. -2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. +1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. +2. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. ### Location @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -87,11 +87,11 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro ### Countermeasure -Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. +Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. ### Potential impact -Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations. +Users must provide administrative passwords to run programs with elevated privileges. This impact could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 431ac04a15..53b87039e9 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -38,7 +38,7 @@ Some software might attempt to install itself after being given permission to ru - **Disabled** - Application installation packages that require an elevation of privilege to install are not detected and the user is not prompted for administrative credentials. + Application installation packages that require an elevation of privilege to install aren't detected and the user isn't prompted for administrative credentials. ### Best practices @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 242580312c..0f83be229f 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -31,18 +31,18 @@ This policy setting enforces public key infrastructure (PKI) signature checks on A trusted publisher is a certificate issuer that the computer’s user has chosen to trust and that has certificate details that have been added to the store of trusted publishers. -Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they are owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from a number of different certification authorities (CAs). +Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they're owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from many different certification authorities (CAs). When certificate path discovery is initiated, Windows attempts to locate the issuing CA for the certificates, and it builds a certificate path to the trusted root certificate. Intermediate certificates are included as part of the application protocol or are picked up from Group Policy or through URLs that are specified in the Authority Information Access (AIA) extension. When the path is built, each certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints. ### Possible values - **Enabled** - Enforces the PKI certificate chain validation of a given executable file before it is permitted to run. + Enforces the PKI certificate chain validation of a given executable file before it's permitted to run. - **Disabled** - Does not enforce PKI certificate chain validation before a given executable file is permitted to run. + Doesn't enforce PKI certificate chain validation before a given executable file is permitted to run. ### Best practices @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -91,8 +91,8 @@ Enable the **User Account Control: Only elevate executables that are signed and ### Potential impact -Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications are not signed, and they cannot be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting. -Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting is not an assurance that all rogue applications will be found. +Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications aren't signed, and they can't be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting. +Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting isn't an assurance that all rogue applications will be found. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 76a8bc97a2..2c36882505 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -59,7 +59,7 @@ If an application presents a UIAccess attribute when it requests privileges, the - **Disabled** - An application can start with UIAccess integrity even if it does not reside in a secure location in the file system. + An application can start with UIAccess integrity even if it doesn't reside in a secure location in the file system. ### Best practices @@ -103,7 +103,7 @@ This section describes: ### Vulnerability -UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that transmit user interfaces to alternative forms. But it's not required by most applications. A process that's started with UIAccess rights has the following abilities: +UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as sign-in prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that transmit user interfaces to alternative forms. But it's not required by most applications. A process that's started with UIAccess rights has the following abilities: - Set the foreground window. - Drive any application window by using the SendInput function. @@ -117,7 +117,7 @@ Enable the **User Account Control: Only elevate UIAccess applications that are i ### Potential impact -If the application that requests UIAccess meets the UIAccess setting requirements, computers that run at least the Windows Vista operating system start the application with the ability to bypass most UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. +If the application that requests UIAccess meets the UIAccess setting requirements, computers that run at least the Windows Vista operating system start the application with the ability to bypass most UIPI restrictions. If the application doesn't meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index 6760e38f5a..3d53a0a2f4 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -27,7 +27,7 @@ This article describes the best practices, location, values, policy management a ## Reference -This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This is the setting that turns UAC on or off. +This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This setting is the one that turns on or off the UAC. ### Possible values diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 5eb4fbd4e9..15ef6860e1 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting determines whether the elevation request prompts on the interactive user desktop or on the secure desktop. -The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied. +The secure desktop presents the sign-in UI and restricts functionality and access to the system until the sign-in requirements are satisfied. The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain. @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -91,7 +91,7 @@ Enable the **User Account Control: Switch to the secure desktop when prompting f ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index dda6b18a18..97de8498ea 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system. This feature mitigates applications that historically ran as administrator and wrote runtime application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKEY\_LOCAL\_MACHINE\\Software\\. -This feature can be disabled for applications on devices running at least Windows Vista because it is unnecessary. +This feature can be disabled for applications on devices running at least Windows Vista because it's unnecessary. ### Possible values @@ -43,7 +43,7 @@ This feature can be disabled for applications on devices running at least Window ### Best practices -1. If you run applications that are not Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations. +1. If you run applications that aren't Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations. 2. If you only run at least Windows Vista–compliant applications, this feature is unnecessary so you can disable this policy. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -89,7 +89,7 @@ Enable the **User Account Control: Virtualize file and registry write failures t ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 411b14fcba..8eabd03b34 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -23,7 +23,7 @@ Windows Event Forwarding (WEF) reads any operational or administrative event log To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects more events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. -This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis. +This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they're largely used for host forensic analysis. An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed. @@ -37,7 +37,7 @@ Here's an approximate scaling guide for WEF events: | 5,000 - 50,000 | SEM | | 50,000+ | Hadoop/HDInsight/Data Lake | -Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This condition is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files hasn't resulted in noticeable performance differences. +Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This condition is because WEF is a passive system regarding the event log. It can't change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling more event channels and expanding the size of event log files hasn't resulted in noticeable performance differences. For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). @@ -50,7 +50,7 @@ This system of dual subscription means you would create two base subscriptions: - **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines. - **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems. -Each using the respective event query below. For the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. +Each using the respective event query below. For the Targeted subscription, enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query. @@ -62,11 +62,11 @@ This section addresses common questions from IT pros and customers. The short answer is: No. -The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they won't notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel. +The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they won't notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there's an issue with the WEF subscription, there's no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel. ### Is WEF Push or Pull? -A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. +A WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. ### Will WEF work over VPN or RAS? @@ -75,7 +75,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen ### How is client progress tracked? The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a -WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription. +WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat value can be individually configured for each subscription. ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment? @@ -93,12 +93,11 @@ The HTTPS option is available if certificate based authentication is used, in ca The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). -When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. +When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there's no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. ### What format is used for forwarded events? -WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is -“Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate. +WEF has two modes for forwarded events. The default is “Rendered Text” that includes the textual description of the event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This format is compact and can more than double the event volume a single WEC server can accommodate. A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility: @@ -109,19 +108,19 @@ Wecutil ss “testSubscription” /cf:Events ### How frequently are WEF events delivered? -Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. +Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. This table outlines the built-in delivery options: | Event delivery optimization options | Description | | - | - | -| Normal | This option ensures reliable delivery of events and doesn't attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | -| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | -| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. | +| Normal | This option ensures reliable delivery of events and doesn't attempt to conserve bandwidth. It's the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | +| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It's an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | +| Minimize latency | This option ensures that events are delivered with minimal delay. It's an appropriate choice if you're collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. | For more info about delivery options, see [Configure Advanced Subscription Settings](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749167(v=ws.11)). -The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt: +The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements, you can set Custom event delivery options for a given subscription from an elevated command prompt: ``` syntax @rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime @@ -139,15 +138,15 @@ For collector initiated subscriptions: The subscription contains the list of mac ### Can a client communicate to multiple WEF Event Collectors? -Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. +Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. ### What are the WEC server’s limitations? There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions. - **Disk I/O**. The WEC server doesn't process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. -- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. -- **Registry size**. For each unique device that connects to a WEF subscription, there is a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this isn't pruned to remove inactive clients this set of registry keys can grow to an unmanageable size over time. +- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This leniency means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. +- **Registry size**. For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time. - When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards. - At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. @@ -155,30 +154,30 @@ There are three factors that limit the scalability of WEC servers. The general r ## Subscription information -Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription. +Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These items are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription. ### Baseline subscription -While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require special configuration on client devices to enable event channels or modify channel permissions. +While this subscription appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require special configuration on client devices to enable event channels or modify channel permissions. -The subscription is essentially a collection of query statements applied to the Event Log. This means that it is modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within that query statement and aren't to the entire subscription. +The subscription is essentially a collection of query statements applied to the Event Log. This subscription means that it's modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements that filter out specific events, only apply within that query statement and aren't to the entire subscription. ### Baseline subscription requirements -To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. +To gain the most value out of the baseline subscription, we recommend having the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. -- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events. +- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events. - Apply at least an Audit-Only AppLocker policy to devices. - - If you are already allowing or restricting events by using AppLocker, then this requirement is met. - - AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts. + - If you're already allowing or restricting events by using AppLocker, then this requirement is met. + - AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts. - Enable disabled event channels and set the minimum size for modern event files. -- Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). +- Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf). -- Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. +- Anti-malware events from Microsoft Antimalware or Windows Defender. These events can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. - AppLocker Process Create events (EXE, script, packaged App installation and execution). - Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb). @@ -192,7 +191,7 @@ The annotated event query can be found in the following. For more info, see [App - Certificate Authority audit events - - This is only applicable on systems with the Certificate Authority role installed. + - These events are only applicable on systems with the Certificate Authority role installed. - Logs certificate requests and responses. - User profile events @@ -211,28 +210,29 @@ The annotated event query can be found in the following. For more info, see [App - Find out what initiated the restart of a device. -- User initiated interactive logoff event +- User-initiated interactive sign-out event - Remote Desktop Services sessions connect, reconnect, or disconnect. - EMET events, if EMET is installed. - Event forwarding plugin events - - For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues. + - For monitoring WEF subscription operations, such as Partial Success events. This event is useful for diagnosing deployment issues. - Network share creation and deletion - Enables detection of unauthorized share creation. - >**Note:** All shares are re-created when the device starts. + > [!NOTE] + > All shares are re-created when the device starts. -- Logon sessions +- Sign-in sessions - - Logon success for interactive (local and Remote Interactive/Remote Desktop) - - Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. - - Logon success for batch sessions - - Logon session close, which is logoff events for non-network sessions. + - Sign-in success for interactive (local and Remote Interactive/Remote Desktop) + - Sign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. + - Sign-in success for batch sessions + - Sign-in session close, which is sign-out events for non-network sessions. - Windows Error Reporting (Application crash events only) - - This can help detect early signs of intruder not familiar with enterprise environment using targeted malware. + - This session can help detect early signs of intruder not familiar with enterprise environment using targeted malware. - Event log service events @@ -240,11 +240,11 @@ The annotated event query can be found in the following. For more info, see [App - Event log cleared (including the Security Event Log) - - This could indicate an intruder that is covering their tracks. + - This event could indicate an intruder that is covering their tracks. -- Special privileges assigned to new logon +- Special privileges assigned to new sign in - - This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator. + - This assignation indicates that at the time of signing in, a user is either an Administrator or has the sufficient access to make themselves Administrator. - Outbound Remote Desktop Services session attempts @@ -265,19 +265,19 @@ The annotated event query can be found in the following. For more info, see [App - Task Scheduler allows intruders to run code at specified times as LocalSystem. -- Logon with explicit credentials +- Sign-in with explicit credentials - Detect credential use changes by intruders to access more resources. - Smartcard card holder verification events - - This detects when a smartcard is being used. + - This event detects when a smartcard is being used. ### Suspect subscription -This adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. +This subscription adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. -- Logon session creation for network sessions +- Sign-in session creation for network sessions - Enables time-series analysis of network graphs. @@ -290,15 +290,15 @@ This adds some possible intruder-related activity to help analyst further refine - Detects known bad certificate, CA, or sub-CA - Detects unusual process use of CAPI -- Groups assigned to local logon +- Groups assigned to local sign in - - Gives visibility to groups which enable account-wide access + - Gives visibility to groups that enable account-wide access - Allows better planning for remediation efforts - Excludes well known, built-in system accounts. -- Logon session exit +- Sign-in session exit - - Specific for network logon sessions. + - Specific for network sign-in sessions. - Client DNS lookup events @@ -308,11 +308,11 @@ This adds some possible intruder-related activity to help analyst further refine - Enables checking for processes terminating unexpectedly. -- Local credential validation or logon with explicit credentials +- Local credential validation or signing in with explicit credentials - Generated when the local SAM is authoritative for the account credentials being authenticated. - Noisy on domain controllers - - On client devices this is only generated when local accounts log on. + - On client devices, it's only generated when local accounts sign in. - Registry modification audit events @@ -370,9 +370,9 @@ If your organizational audit policy enables more auditing to meet its needs, tha ## Appendix B - Recommended minimum registry system ACL policy -The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system. +The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user signs in to the system. -This can easily be extended to other Auto-Execution Start Points keys in the registry. +This implication can easily be extended to other Auto-Execution Start Points keys in the registry. Use the following figures to see how you can configure those registry keys. @@ -384,16 +384,16 @@ Use the following figures to see how you can configure those registry keys. Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it. -The recommended and most effective way to do this is configuring the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device. +The recommended and most effective way to do this customization is configuring the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access). This configuration will take effect at the next GPO refresh cycle and has minimal impact on the client device. -The following GPO snippet performs the following: +The following GPO snippet performs the following tasks: - Enables the **Microsoft-Windows-Capi2/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB. -- Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100MB. +- Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100 MB. - Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group. - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. -- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. +- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50 MB. ![configure event channels.](images/capi-gpo.png) @@ -403,7 +403,7 @@ Here are the minimum steps for WEF to operate: 1. Configure the collector URI(s). 2. Start the WinRM service. -3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. +3. Add the Network Service account to the built-in Event Log Readers security group. This addition allows reading from secured event channel, such as the security event channel. ![configure the wef client.](images/wef-client-config.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md index 07dfa8e8f7..90233a51ac 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md @@ -1,14 +1,8 @@ --- -title: Deploying Windows Defender Application Control AppId Tagging policies (Windows) -description: How to deploy your WDAC AppId Tagging policies locally and globally within your managed environment -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +title: Deploying Windows Defender Application Control AppId tagging policies +description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 @@ -18,35 +12,35 @@ ms.date: 04/29/2022 ms.technology: windows-sec --- -# Deploying Windows Defender Application Control AppId Tagging policies (Windows) +# Deploying Windows Defender Application Control AppId tagging policies **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and later > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md). -Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy: +Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy: -1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm) +1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm) 1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager) 1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting) 1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp) -## Deploy AppId Tagging Policies with MDM +## Deploy AppId tagging policies with MDM -Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). +Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). -## Deploy AppId Tagging Policies with Configuration Manager +## Deploy AppId tagging policies with Configuration Manager -Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. +Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-wdac-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. -### Deploy AppId Tagging Policies via Scripting +### Deploy AppId tagging Policies via Scripting -Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy Windows Defender Application Control policies using script article](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Only the method for deploying to version 1903 and above is applicable for AppId Tagging policies. +Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see [Deploy WDAC policies using script](../deployment/deploy-wdac-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later. ### Deploying policies via the ApplicationControl CSP @@ -57,4 +51,4 @@ However, when policies are unenrolled from an MDM server, the CSP will attempt t For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Endpoint Manager Intune's Custom OMA-URI capability. > [!NOTE] -> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies. +> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index e882f22e84..f85611c594 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -41,7 +41,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de 1. Generate a supplemental policy with Windows Defender Application Control tooling - This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. + This policy will expand the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. @@ -56,14 +56,14 @@ The general steps for expanding the S mode base policy on your Intune-managed de ```powershell Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "\SupplementalPolicy.xml" ``` - Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID. + Policies that are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this ID is the S mode policy ID. - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true) ```powershell Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete ``` - This deletes the 'audit mode' qualifier. - - Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the Windows Defender Application Control policy: + This command deletes the 'audit mode' qualifier. + - Since you'll be signing your policy, you must authorize the signing certificate you'll use to sign the policy and optionally one or more extra signers that can be used to sign updates to the policy in the future. For more information, see Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the Windows Defender Application Control policy: ```powershell Add-SignerRule -FilePath -CertificatePath -User -Update @@ -82,7 +82,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de 3. Deploy the signed supplemental policy using Microsoft Intune - Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device. + Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these tokens and policies expand the S mode base policy on the device. > [!Note] > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number. @@ -95,9 +95,9 @@ Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-manag ![Deploying Apps using Catalogs.](images/wdac-intune-app-catalogs.png) Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well. -Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. +Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) by using signed catalogs. This functionality works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. -The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs. +The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. For more information on generating catalogs, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). > [!Note] > Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own. @@ -186,7 +186,7 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis ``` ## Policy removal -In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device. +In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group that received the policy, which will trigger a removal of both the policy and the authorization token from the device. IT Pros also have the choice of deleting a supplemental policy through Intune. diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2f007e159d..a7d64bd225 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -73,13 +73,13 @@ href: windows-defender-application-control-deployment-guide.md items: - name: Deploy WDAC policies with MDM - href: deploy-windows-defender-application-control-policies-using-intune.md - - name: Deploy WDAC policies with MEMCM + href: deployment/deploy-windows-defender-application-control-policies-using-intune.md + - name: Deploy WDAC policies with Configuration Manager href: deployment/deploy-wdac-policies-with-memcm.md - name: Deploy WDAC policies with script href: deployment/deploy-wdac-policies-with-script.md - - name: Deploy WDAC policies with Group Policy - href: deploy-windows-defender-application-control-policies-using-group-policy.md + - name: Deploy WDAC policies with group policy + href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md - name: Audit WDAC policies href: audit-windows-defender-application-control-policies.md - name: Merge WDAC policies diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 1b90bf0d1c..11e582e4d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -35,7 +35,7 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component- ### COM object configurability in WDAC policy -Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. +Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. > [!NOTE] > To add this functionality to other versions of Windows 10, you can install the following or later updates. @@ -56,7 +56,7 @@ Get GUID of application to allow in one of the following ways: Three elements: -- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”) +- Provider: platform on which code is running (values are PowerShell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”) - Key: GUID for the program you wish to run, in the format Key="{33333333-4444-4444-1616-161616161616}" - ValueName: needs to be set to "EnterpriseDefinedClsId" @@ -152,7 +152,7 @@ To add this CLSID to the existing policy, follow these steps: PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean ``` - Once the command has been run, you will find that the following section is added to the policy XML. + Once the command has been run, you'll find that the following section is added to the policy XML. ```XML @@ -162,9 +162,9 @@ To add this CLSID to the existing policy, follow these steps: ``` -### Default COM Object Allow List +### Default COM Object allowlist -The table below describes the list of COM objects that are inherently trusted in Windows Defender Application Control. Objects in this list do not need to be allowlisted in your WDAC policies. They can be denied by creating explicit deny rules in your WDAC policy. +The table below describes the list of COM objects that are inherently trusted in Windows Defender Application Control. Objects in this list don't need to be allowlisted in your WDAC policies. They can be denied by creating explicit deny rules in your WDAC policy. | File Name | CLSID | |--------|-----------| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index d3d7b17207..5a985252e9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -33,6 +33,6 @@ This topic for IT professionals describes how to update your existing AppLocker You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center. -RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8. +RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.     diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 206a7b287c..6dbbe7b0fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -45,7 +45,7 @@ When a new DLL loads, a notification is sent to AppLocker to verify that the DLL **A script is run** -Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log. +Before a script file is run, the script host (for example, for .ps1 files, the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it's allowed to run. In each case, the actions taken by AppLocker are written to the event log. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index af1cdbd2d8..4e4e13c016 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -51,7 +51,7 @@ AppLocker helps reduce administrative overhead and helps reduce the organization - **Protection against unwanted software** - AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running. + AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running. - **Licensing conformance** @@ -59,11 +59,11 @@ AppLocker helps reduce administrative overhead and helps reduce the organization - **Software standardization** - AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment. + AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment. - **Manageability improvement** - AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies. + AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies. ## When to use AppLocker @@ -71,7 +71,7 @@ AppLocker helps reduce administrative overhead and helps reduce the organization In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. -Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls. +Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls. AppLocker is ideal for organizations that currently use Group Policy to manage their PCs. @@ -80,9 +80,9 @@ The following are examples of scenarios in which AppLocker can be used: - Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users. - An app is no longer supported by your organization, so you need to prevent it from being used by everyone. - The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat. -- The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone. +- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone. - A new app or a new version of an app is deployed, and you need to prevent users from running the old version. -- Specific software tools are not allowed within the organization, or only specific users should have access to those tools. +- Specific software tools aren't allowed within the organization, or only specific users should have access to those tools. - A single user or small group of users needs to use a specific app that is denied for all others. - Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps. - In addition to other measures, you need to control the access to sensitive data through app usage. @@ -101,7 +101,7 @@ AppLocker is included with enterprise-level editions of Windows. You can author ### Using AppLocker on Server Core -AppLocker on Server Core installations is not supported. +AppLocker on Server Core installations isn't supported. ### Virtualization considerations @@ -115,9 +115,9 @@ The variety of forms that malicious software can take make it difficult for user The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers. -A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies. +A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it's important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies. -For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). +For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). When you use AppLocker to create application control policies, you should be aware of the following security considerations: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 8b61cc5f7c..a7af9ef942 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -32,7 +32,7 @@ ms.technology: windows-sec This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. -This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change. +This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It's intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change. This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index 5175d57766..2c023e6bc0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -31,9 +31,9 @@ ms.technology: windows-sec This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. -This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group. +This guide provides important designing and planning information for deploying application control policies by using AppLocker. It's intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group. -This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md). +This guide doesn't cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md). To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). ## In this section @@ -44,8 +44,8 @@ To understand if AppLocker is the correct application control solution for your | [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. | | [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | | [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. | -| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. | -| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. | +| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you're planning to deploy AppLocker rules. | +| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |   After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 32d003ef09..77d166aedc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -39,7 +39,7 @@ AppLocker can help you improve the management of application control and the mai 2. **Protection against unwanted software** - AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not identified by its publisher, installation path, or file hash, the attempt to run the application fails. + AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app isn't identified by its publisher, installation path, or file hash, the attempt to run the application fails. 3. **Licensing conformance** @@ -47,12 +47,11 @@ AppLocker can help you improve the management of application control and the mai 4. **Software standardization** - AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment. + AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment. 5. **Manageability improvement** - AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use - the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. + AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. ### Use scenarios @@ -60,13 +59,13 @@ The following are examples of scenarios in which AppLocker can be used: - Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage. - The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed. -- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software. +- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps aren't licensed or prevent unauthorized users from running licensed software. - An app is no longer supported by your organization, so you need to prevent it from being used by everyone. -- Your organization needs to restrict the use of Universal Windows apps to just those your organization approves of or develops. +- Your organization needs to restrict the use of Universal Windows apps to just those apps your organization approves of or develops. - The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat. - The license to an app has been revoked or is expired in your organization, so you need to prevent it from being used by everyone. - A new app or a new version of an app is deployed, and you need to allow certain groups to use it. -- Specific software tools are not allowed within the organization, or only specific users have access to those tools. +- Specific software tools aren't allowed within the organization, or only specific users have access to those tools. - A single user or small group of users needs to use a specific app that is denied for all others. - Some computers in your organization are shared by people who have different software usage needs. - In addition to other measures, you need to control the access to sensitive data through app usage. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 8460667499..34ff057457 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -35,7 +35,7 @@ This topic for the IT professional describes the process dependencies and intera AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure. -The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary -even if product or binary names are empty- to the results pane of the Local Security Policy snap-in. +The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service isn't running, policies won't be enforced. The Application Identity service returns the information from the binary -even if product or binary names are empty- to the results pane of the Local Security Policy snap-in. AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information: @@ -49,7 +49,7 @@ An AppLocker policy for DLLs and executable files is read and cached by kernel m ### Understanding AppLocker rules -An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files: +An AppLocker rule is a control placed on a file to govern whether or not it's allowed to run for a specific user or group. Rules apply to five different types, or collections, of files: - An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications. - A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js. @@ -97,7 +97,7 @@ An AppLocker policy is a set of rule collections and their corresponding configu - [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) - Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. + Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. ### Understanding AppLocker and Group Policy @@ -105,7 +105,7 @@ Group Policy can be used to create, modify, and distribute AppLocker policies in - [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) - When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. + When Group Policy is used to distribute AppLocker policies, rule collections that aren't configured will be enforced. Group Policy doesn't overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index 4ae757fa97..81a1e43bb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -40,7 +40,7 @@ You can perform this task by using the Group Policy Management Console for an Ap **To enable the Enforce rules enforcement setting** 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**. -2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you are editing, and then verify that **Enforce rules** is selected. +2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you're editing, and then verify that **Enforce rules** is selected. 3. Click **OK**. For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index 0675c5fa73..1f7b314f14 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -36,15 +36,15 @@ An AppLocker reference device that is used for the development and deployment of - Maintain an application list for each business group. - Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules. - Create the default rules to allow the Windows system files to run properly. -- Run tests and analyze the event logs to determine the affect of the policies that you intend to deploy. +- Run tests and analyze the event logs to determine the effect of the policies that you intend to deploy. -The reference device does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). +The reference device doesn't need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). >**Warning:**  Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected. **To configure a reference device** -1. If the operating system is not already installed, install one of the supported editions of Windows on the device. +1. If the operating system isn't already installed, install one of the supported editions of Windows on the device. >**Note:**  If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device @@ -58,7 +58,7 @@ The reference device does not need to be joined to a domain, but it must be able ### See also -- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see [Working with AppLocker rules](working-with-applocker-rules.md). +- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md). - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index 1c676d9236..3bc3d41f7e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. -Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps, which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information: +Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it's possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows doesn't support unsigned packaged apps, which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information: - Publisher of the package - Package name @@ -53,19 +53,19 @@ You can perform this task by using the Group Policy Management Console for an Ap |Selection|Description|Example| |--- |--- |--- | - |**Use an installed packaged app as a reference**|If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.|You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.| + |**Use an installed packaged app as a reference**|If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.|You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you're creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.| |**Use a packaged app installer as a reference**|If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.| The following table describes setting the scope for the packaged app rule. |Selection|Description|Example| |--- |--- |--- | - |Applies to **Any publisher**|This is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install.

                        Conversely, if this is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.| - |Applies to a specific **Publisher** | This scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. | - |Applies to a **Package name** | This scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. | - |Applies to a **Package version** | This scopes the rule to a particular version of the package. | You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. | + |Applies to **Any publisher**|This setting is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install.

                        Conversely, if this setting is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.| + |Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. | + |Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. | + |Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. | |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. | 6. Select **Next**. -7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. +7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. 8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 7daf4320eb..4b22dedc36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -39,7 +39,7 @@ For each business group, determine the following information: - The full installation path of the app - The publisher and signed status of each app - The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control. -- A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who cannot provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. +- A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who can't provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. ### How to perform the app usage assessment @@ -48,9 +48,9 @@ Rules wizard and the **Audit only** enforcement configuration to assist you with **Application inventory methods** -Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. +Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This requirement might mean more work in setting up the reference computer and determining a maintenance policy for that computer. -Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. +Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. > [!TIP] > If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. @@ -63,16 +63,16 @@ The following topics describe how to perform each method: ### Prerequisites to completing the inventory -Identify the business group and each organizational unit (OU) within that group to which you will apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: +Identify the business group and each organizational unit (OU) within that group to which you'll apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - [Determine your application control objectives](determine-your-application-control-objectives.md) ## Next steps -Identify and develop the list of apps. Record the name of the app, whether it is signed or not as indicated by the publisher's name, and whether or not it is a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For info about how to do this, see [Document your app list](document-your-application-list.md). +Identify and develop the list of apps. Record the name of the app, whether it's signed or not as indicated by the publisher's name, and whether or not it's a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For more information, see [Document your app list](document-your-application-list.md). -After you have created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: +After you've created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: - Use default rule or define new rule condition - Allow or deny diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index 961dd4e3ff..8a5e46aee1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -35,7 +35,7 @@ Creating effective application control policies with AppLocker starts by creatin ## Step 1: Use your plan -You can develop an application control policy plan to guide you in making successful deployment decisions. For more info about how to do this and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: +You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to develop this policy and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: 1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) 2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) @@ -52,12 +52,12 @@ Each rule applies to one or more apps, and it imposes a specific rule condition ## Step 3: Configure the enforcement setting -An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that +An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it's set to **Not configured**, all the rules in that policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). ## Step 4: Update the GPO -AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to do this, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). +AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO), or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to import this policy into a GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ## Step 5: Test the effect of the policy @@ -68,7 +68,7 @@ In a test environment or with the enforcement setting set at **Audit only**, ver Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**. ## Step 7: Test the effect of the policy and adjust -Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). +Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. For information on how to do these tasks, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). ## Next steps diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index cdda7822da..8efbf0415b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -33,7 +33,7 @@ This topic for the IT professional describes what you need to know about AppLock ## Creating AppLocker rules -AppLocker rules apply to the targeted app, and they are the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). +AppLocker rules apply to the targeted app, and they're the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). ### Automatically generate your rules @@ -47,7 +47,7 @@ You can use a reference device to automatically create a set of default rules fo ### Create your rules individually -You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group. +You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you're targeting a few applications within a business group. >**Note:**  AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). @@ -62,7 +62,7 @@ For information about performing this task, see: ## About selecting rules -AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they are implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. +AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they're implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 0add3ed41f..6247e45693 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -38,7 +38,7 @@ For info about testing an AppLocker policy to see what rules affect which files You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). -These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings. +These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy won't override those settings. ## To delete a rule in an AppLocker policy @@ -72,13 +72,13 @@ To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules: PS C:\Users\Administrator> import-module AppLocker ``` -We will create a file (for example, clear.xml), place it in the same directory where we are executing our cmdlet, and add the preceding XML contents. Then run the following command: +We'll create a file (for example, clear.xml), place it in the same directory where we're executing our cmdlet, and add the preceding XML contents. Then run the following command: ```powershell C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml ``` -This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. +This command will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 76c4ee127a..fc69f58037 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -41,15 +41,15 @@ For info about how to plan an AppLocker policy deployment, see [AppLocker Design ## Step 1: Retrieve the AppLocker policy -Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). ## Step 2: Alter the enforcement setting -Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). +Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). ## Step 3: Update the policy -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack. >**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. @@ -60,9 +60,9 @@ For the procedures to distribute policies for local PCs by using the Local Secur ## Step 4: Monitor the effect of the policy -When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). +When a policy is deployed, it's important to monitor the actual implementation of that policy by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 2d9fdbe7c2..13836e63df 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -1,6 +1,6 @@ --- title: Determine the Group Policy structure and rule enforcement (Windows) -description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. +description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f ms.reviewer: ms.author: dansimp @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This overview topic describes the process to follow when you are planning to deploy AppLocker rules. +This overview topic describes the process to follow when you're planning to deploy AppLocker rules. ## In this section @@ -39,10 +39,10 @@ This overview topic describes the process to follow when you are planning to dep | [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| | [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. | -When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following: +When you're determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following points: -- Whether you are creating new GPOs or using existing GPOs -- Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO +- Whether you're creating new GPOs or using existing GPOs +- Whether you're implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO - GPO naming conventions - GPO size limits diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 656ab2805e..e8313de0e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -31,14 +31,14 @@ ms.technology: windows-sec This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. -The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain. +The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device doesn't need to be joined to the domain. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. **To determine which apps are digitally signed on a reference device** 1. Run **Get-AppLockerFileInformation** with the appropriate parameters. - The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information. 2. Analyze the publisher's name and digital signature status from the output of the command. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index bb43e3b175..1136c55fd2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -39,21 +39,21 @@ Use the following table to develop your own objectives and determine which appli |Application control function|SRP|AppLocker| |--- |--- |--- | -|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in[Requirements to use AppLocker](requirements-to-use-applocker.md).| +|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).| |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

                        AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.| |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.

                        SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.| -|File types that can be controlled|SRP can control the following file types:
                      • Executables
                      • DLLs
                      • Scripts
                      • Windows Installers

                        SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
                      • Executables
                      • DLLs
                      • Scripts
                      • Windows Installers
                      • Packaged apps and installers

                        AppLocker maintains a separate rule collection for each of the five file types.| -|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this. AppLocker currently supports the following file extensions:
                      • Executables (.exe, .com)
                      • DLLs (.ocx, .dll)
                      • Scripts (.vbs, .js, .ps1, .cmd, .bat)
                      • Windows Installers (.msi, .mst, .msp)
                      • Packaged app installers (.appx)| +|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.

                        SRP can also be configured in the “allowlist mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.| +|File types that can be controlled|SRP can control the following file types:
                      • Executables
                      • DLLs
                      • Scripts
                      • Windows Installers

                        SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
                      • Executables
                      • DLLs
                      • Scripts
                      • Windows Installers
                      • Packaged apps and installers

                        AppLocker maintains a separate rule collection for each of the five file types.| +|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
                      • Executables (.exe, .com)
                      • DLLs (.ocx, .dll)
                      • Scripts (.vbs, .js, .ps1, .cmd, .bat)
                      • Windows Installers (.msi, .mst, .msp)
                      • Packaged app installers (.appx)| |Rule types|SRP supports four types of rules:
                      • Hash
                      • Path
                      • Signature

                        Internet zone|AppLocker supports three types of rules:
                      • Hash
                      • Path
                      • Publisher| |Editing the hash value|SRP allows you to select a file to hash.|AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.| -|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

                        SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.| +|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

                        SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.| |Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.| |Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.| -|Support for rule exceptions|SRP does not support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.| -|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.| -|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.| +|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.| +|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.| +|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.| |Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.| For more general info, see AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 596ca4a50f..542a15ced2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. -Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed. +With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed. To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index 5c09c86d2e..6921eeb8f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -40,12 +40,9 @@ The following table lists the default rules that are available for the DLL rule | Purpose | Name | User | Rule condition type | | - | - | - | - | -| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| -| BUILTIN\Administrators | Path: *| -| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | -| Everyone | Path: %windir%\*| -| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| -| Everyone | Path: %programfiles%\*| +| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| BUILTIN\Administrators | Path: *| +| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\*| +| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| Everyone | Path: %programfiles%\*| > [!IMPORTANT] > If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index f21a48c714..24d9b339a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -40,7 +40,7 @@ To complete this AppLocker planning document, you should first complete the foll 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. +After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they're linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. @@ -49,13 +49,13 @@ The following table includes the sample data that was collected when you determi |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow|| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow|| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow|| ||||Internet Explorer 7|C:\Program Files\Internet Explorer

                        |File is signed; create a publisher condition|Deny|| ||||Windows files|C:\Windows|Use a default rule for the Windows path|Allow|| ## Next steps -After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: +After you've determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 811e3ab499..d23ab33e4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes the steps required to modify an AppLocker policy. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't create a new version of the policy by importing more rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). There are three methods you can use to edit an AppLocker policy: @@ -40,20 +40,21 @@ There are three methods you can use to edit an AppLocker policy: - [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) ## Editing an AppLocker policy by using Mobile Device Management (MDM) +If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node. +For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). ## Editing an AppLocker policy by using Group Policy -The steps to edit an AppLocker policy distributed by Group Policy include the following: +The steps to edit an AppLocker policy distributed by Group Policy include: ### Step 1: Use Group Policy management software to export the AppLocker policy from the GPO -AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker -policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). +AppLocker provides a feature to export and import AppLocker policies as an XML file. This feature allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker policy to an XML file. For information on the procedure to export this policy, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). ### Step 2: Import the AppLocker policy into the AppLocker reference PC or the PC you use for policy maintenance -After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). >**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   @@ -61,8 +62,8 @@ After exporting the AppLocker policy to an XML file, you should import the XML f AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. -- For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). -- For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). +- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). +- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) @@ -70,7 +71,7 @@ AppLocker provides ways to modify, delete, or add rules to a policy by modifying - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) -- For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). +- For information on the steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). - For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO @@ -89,7 +90,7 @@ The steps to edit an AppLocker policy distributed by using the Local Security Po On the PC where you maintain policies, open the AppLocker snap-in from the Local Security Policy snap-in (secpol.msc). If you exported the AppLocker policy from another PC, use AppLocker to import it onto the PC. -After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). >**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   @@ -97,8 +98,8 @@ After exporting the AppLocker policy to an XML file, you should import the XML f AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. -- For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). -- For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). +- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). +- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) @@ -114,6 +115,6 @@ For steps to test an AppLocker policy, see [Test and update an AppLocker policy] For procedures to export the updated policy from the reference computer to targeted computers, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 04db4a506d..97c6d66e6c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -57,7 +57,7 @@ For every scenario, the steps to maintain an AppLocker policy distributed by Gro As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. >**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. @@ -74,7 +74,7 @@ Updating an AppLocker policy that is currently enforced in your production envir After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. -To modify AppLocker rules, see the following: +To modify AppLocker rules, see the following articles: - [Edit AppLocker rules](edit-applocker-rules.md) - [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md) @@ -101,7 +101,7 @@ Before modifying a policy, evaluate how the policy is currently implemented. ### Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule -Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. +Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules don't allow users to open or run any files that aren't allowed. To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md). @@ -117,6 +117,6 @@ You can export and then import AppLocker policies to deploy the policy to other After deploying a policy, evaluate the policy's effectiveness. -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 6c12bd897b..477f41380a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -34,7 +34,7 @@ This topic for IT professionals describes concepts and lists procedures to help ## Understanding Packaged apps and Packaged app installers for AppLocker Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. -With packaged apps, it is possible to control the entire app by using a single AppLocker rule. +With packaged apps, it's possible to control the entire app by using a single AppLocker rule. > [!NOTE] > AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps. @@ -46,8 +46,8 @@ Typically, an app consists of multiple components: the installer that is used to AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: -- **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. -- **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. +- **Installing the apps**   All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. +- **Changing the system state**   Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes. - **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means. AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both. @@ -67,12 +67,12 @@ For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). -Consider the following info when you are designing and deploying apps: +Consider the following info when you're designing and deploying apps: -- Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary. -- You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules. -- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or -Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design. +- Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps isn't necessary. +- You can't create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps weren't always consistently signed; therefore, AppLocker has to support hash- or path-based rules. +- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 wouldn't have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or +Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app, which is contrary to your design. To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection. @@ -80,10 +80,10 @@ Windows 8 joins a domain where an AppLocker policy is already configured, users Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy: -1. Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). +1. Gather information about which Packaged apps are running in your environment. For information about how to gather this information, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). 2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](./understanding-applocker-default-rules.md). -3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). +3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this update, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). -4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). \ No newline at end of file +4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this monitoring, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 7737b4399b..6d553816d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -31,13 +31,13 @@ ms.technology: windows-sec This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. -The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy. +The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter isn't specified, then the new policy will overwrite the existing policy. For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy). For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). -You can also manually merge AppLocker policies. For the procedure to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). +You can also manually merge AppLocker policies. For information on the procedure to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). **To merge a local AppLocker policy with another AppLocker policy by using LDAP paths** 1. Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index 4063ae1e66..de6eab6cab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). -If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table: @@ -51,7 +51,7 @@ Rule enforcement is specified with the **EnforcementMode** element. The three en | AuditOnly | Audit only| | Enabled | Enforce rules| -Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. +Each of the three condition types uses specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. @@ -63,4 +63,4 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 4. Open the policy where you want to add the copied rules. 5. Select and expand the rule collection where you want to add the rules. 6. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy. -7. Upload the policy to a reference computer to ensure that it is functioning properly within the GPO. +7. Upload the policy to a reference computer to ensure that it's functioning properly within the GPO. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index a19c80618b..2a7f113724 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. -Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected. +Once you set rules and deploy the AppLocker policies, it's a good practice to determine if the policy implementation is what you expected. ### Discover the effect of an AppLocker policy @@ -39,27 +39,27 @@ You can evaluate how the AppLocker policy is currently implemented for documenta - **Analyze the AppLocker logs in Event Viewer** - When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. - For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). + For more information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). - **Enable the Audit only AppLocker enforcement setting** By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. - For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + For more information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). - **Review AppLocker events with Get-AppLockerFileInformation** - For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file. + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you're using the audit-only enforcement mode) and how many times the event has occurred for each file. - For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). + For more information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). - **Review AppLocker events with Test-AppLockerPolicy** You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies. - For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + For more information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). ### Review AppLocker events with Get-AppLockerFileInformation @@ -93,7 +93,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum **To view events in the AppLocker log by using Event Viewer** -1. Open Event Viewer. To do this, click **Start**, type **eventvwr.msc**, and then press ENTER. +1. To open Event Viewer, go to the **Start** menu, type **eventvwr.msc**, and then select ENTER. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index c79be76e77..0ee1ed1988 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -32,7 +32,7 @@ ms.technology: windows-sec This topic explains the AppLocker rule collection for packaged app installers and packaged apps. Universal Windows apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation. -Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule. +Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It's therefore possible to control an entire app with a single rule. AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 2f5df9dc7c..65214802ff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -1,6 +1,6 @@ --- title: Plan for AppLocker policy management (Windows) -description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. +description: This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b ms.reviewer: ms.author: dansimp @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. +This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ## Policy management @@ -46,23 +46,23 @@ Developing a process for managing AppLocker rules helps assure that AppLocker co **Help desk support** -If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies: +If your organization has an established help desk support department in place, consider the following points when deploying AppLocker policies: - What documentation does your support department require for new policy deployments? - What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? - Who are the contacts in the support department? -- How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules? +- How will the support department resolve application control issues between the end user and those resources who maintain the AppLocker rules? **End-user support** -Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: +Because AppLocker is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include: - Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? **Using an intranet site** -AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used. +AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you don't display a custom URL for the message when an app is blocked, the default URL is used. The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. @@ -72,7 +72,7 @@ For steps to display a custom URL for the message, see [Display a custom URL mes **AppLocker event management** -Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The +Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which was the file that tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: 1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx). @@ -83,22 +83,22 @@ Collecting these events in a central location can help you maintain your AppLock ### Policy maintenance -As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current. +As new apps are deployed or existing apps are updated by the software publisher, you'll need to make revisions to your rule collections to ensure that the policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013). +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013). > [!IMPORTANT] > You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. **New version of a supported app** -When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. +When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you're using publisher conditions and the version isn't specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app hasn't altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions. -For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app +For files with path conditions, you should verify that the installation path hasn't changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app **Recently deployed app** @@ -114,7 +114,7 @@ A file could be blocked for three reasons: - The most common reason is that no rule exists to allow the app to run. - There may be an existing rule that was created for the file that is too restrictive. -- A deny rule, which cannot be overridden, is explicitly blocking the file. +- A deny rule, which can't be overridden, is explicitly blocking the file. Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791793(v=ws.10)) (https://go.microsoft.com/fwlink/p/?LinkId=160269). @@ -132,7 +132,7 @@ The three key areas to determine for AppLocker policy management are: 1. Support policy - Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + Document the process that you'll use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. 2. Event processing @@ -149,7 +149,7 @@ The following table contains the added sample data that was collected when deter |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|Web help| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help desk| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|Web help| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||Web help| ||||Internet Explorer 7|C:\Program Files\Internet Explorer

                        |File is signed; create a publisher condition|Deny||Web help| ||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help desk| @@ -157,7 +157,7 @@ The following two tables illustrate examples of documenting considerations to ma **Event processing policy** -One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. +One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This setting will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. The following table is an example of what to consider and record. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index e4d36fb82e..9d554232ef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -42,7 +42,7 @@ To complete this procedure, you must have Edit Setting permission to edit a GPO **To manually refresh the AppLocker policy by using Group Policy** 1. From a command prompt, type **gpupdate /force**, and then press ENTER. -2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied." +2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: @@ -64,8 +64,8 @@ When finished, the policy is in effect. To make the same change on another device, you can use any of the following methods: -- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. +- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. >**Caution:**  When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.   -- Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index b45234c1a0..807313b37d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -40,15 +40,15 @@ You can perform this task by using the Group Policy Management Console for an Ap 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules. 3. Click **Automatically Generate Rules**. -4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this is the Program Files folder. -5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group. -6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**. +4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this folder is the Program Files folder. +5. Click **Select** to choose the security group in which the default rules should be applied. By default, this group is the **Everyone** group. +6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you've selected. Accept the provided name or type a different name, and then click **Next**. 7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). >**Note:** The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: - One publisher condition is created for all files that have the same publisher and product name. - - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. + - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder aren't signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file. 8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 48095da0ce..e30b2c517a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -1,6 +1,6 @@ --- title: Script rules in AppLocker (Windows) -description: This topic describes the file formats and available default rules for the script rule collection. +description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: ms.author: macapara @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 06/15/2022 ms.technology: windows-sec --- @@ -26,26 +26,26 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes the file formats and available default rules for the script rule collection. +This article describes the file formats and available default rules for the script rule collection. AppLocker defines script rules to include only the following file formats: -- .ps1 -- .bat -- .cmd -- .vbs -- .js +- `.ps1` +- `.bat` +- `.cmd` +- `.vbs` +- `.js` The following table lists the default rules that are available for the script rule collection. | Purpose | Name | User | Rule condition type | | - | - | - | - | -| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *| -| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| -| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*| - -## Related topics +| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` | +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| + +> [!NOTE] +> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. + +## Related articles - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 3b58e12ab7..8aebe54030 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -34,26 +34,26 @@ This topic for the IT professional describes the security considerations you nee The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for AppLocker: -AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. +AppLocker is deployed within an enterprise and administered centrally by those resources in IT with trusted credentials. This system makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. -AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. +AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that isn't in a GPO will still be evaluated for that computer. -Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460962(v=technet.10)). +Microsoft doesn't provide a way to develop any extensions to AppLocker. The interfaces aren't public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460962(v=technet.10)). -AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. +AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that isn't in a GPO will still be evaluated for that computer. If the local computer isn't joined to a domain and isn't administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. -When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. +When files are being secured in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it's still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. -AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. +AppLocker doesn't protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. -You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +You can't use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. -AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros. +AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker can't control every kind of interpreted code, such as Microsoft Office macros. > [!IMPORTANT] > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. +AppLocker rules either allow or prevent an application from launching. AppLocker doesn't control the behavior of applications after they're launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. > [!NOTE] > Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 0e46c32873..a8f29966da 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -52,7 +52,7 @@ The rules you create will be in one of the following rule collections: - Packaged apps and packaged app installers: .appx - DLLs: .dll and .ocx -By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default. +By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection isn't enabled by default. In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well. @@ -66,13 +66,13 @@ A rule condition is criteria upon which an AppLocker rule is based and can only | Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | | File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). | -In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. +In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this rule will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. ### Determine how to allow system files to run -Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. +Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you're first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it's denoted with "(Default rule)" in its name as it appears in the rule collection. -You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: +You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This rule will permit access to these files whenever updates are applied and the files change. If you require more application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: - Traverse Folder/Execute File - Create Files/Write Data @@ -82,6 +82,6 @@ These permissions settings are applied to this folder for application compatibil ## Next steps -After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). +After you've selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). -After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). +After recording your findings for the AppLocker rules to create, you'll need to consider how to enforce the rules. For information about how to do this enforcement, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index e94dd7e02a..7767e8d4db 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -35,42 +35,42 @@ You should test each set of rules to ensure that the rules perform as intended. ## Step 1: Enable the Audit only enforcement setting -By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). +By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). ## Step 2: Configure the Application Identity service to start automatically -Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. +Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For information on the procedure to do this configuration, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that aren't managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. ## Step 3: Test the policy -Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy. +Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PCs that are configured to receive your AppLocker policy. -The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). +The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). ## Step 4: Analyze AppLocker events You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis. **To manually analyze AppLocker events** -You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). +You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you haven't configured an event subscription, then you'll have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). **To analyze AppLocker events by using Get-AppLockerFileInformation** You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem. -For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). +For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you're using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For information on the procedure to do this monitoring, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). -After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names. +After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this blocker GPO, you can use the Group Policy Results Wizard to view rule names. ## Step 5: Modify the AppLocker policy -After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). +After you've identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that aren't managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). ## Step 6: Repeat policy testing, analysis, and policy modification Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement. -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).   diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 25bb78c4e1..fd88f08362 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -49,7 +49,7 @@ The following tools can help you administer the application control policies cre You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC). - If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. + If you want more features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. - **Remote Server Administration Tools (RSAT)** diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 9b7c321d4e..f99766832e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -31,11 +31,11 @@ ms.technology: windows-sec This topic describes the AppLocker enforcement settings for rule collections. -Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. +Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. | Enforcement setting | Description | | - | - | -| Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| +| Not configured | By default, enforcement isn't configured in a rule collection. If rules are present in the corresponding rule collection, they're enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| | Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| | Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index c14abfaefc..fb22ebb52e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -1,6 +1,6 @@ --- title: Understand AppLocker policy design decisions (Windows) -description: Review some common considerations while you are planning to use AppLocker to deploy application control policies within a Windows environment. +description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 ms.reviewer: ms.author: macapara @@ -42,34 +42,34 @@ You should consider using AppLocker as part of your organization's application c - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. -The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). +The following questions aren't in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). ### Which apps do you need to control in your organization? -You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. +You might need to control a limited number of applications because they access sensitive data, or you might have to exclude all applications except those applications that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. | Possible answers | Design considerations| | - | - | | Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| -| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All applications on that list will be allowed to run (except those applications on the exception list). Applications that aren't on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| |Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
                        For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.| | Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| -| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| -|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| +| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure isn't based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you'll have to identify users, their computers, and their app access requirements.| +|Understand app usage, but there's no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| > [!IMPORTANT] > The following list contains files or types of files that cannot be managed by AppLocker: -- AppLocker does not protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. +- AppLocker doesn't protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. -- You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +- You can't use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. -- AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros. +- AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker can't control every kind of interpreted code, for example Microsoft Office macros. > [!IMPORTANT] > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -- AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. +- AppLocker rules allow or prevent an app from launching. AppLocker doesn't control the behavior of apps after they're launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md). @@ -77,8 +77,8 @@ You might need to control a limited number of apps because they access sensitive AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: -- All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. -- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. +- All Universal Windows apps can be installed by a standard user, whereas many Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. +- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps can't change the system state because they run with limited permissions. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes. - Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution. AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both. @@ -91,7 +91,7 @@ Most organizations have evolved app control policies and methods over time. With | Possible answers | Design considerations | | - | - | -| Security polices (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| +| Security policies (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this policy creation results in a simpler distribution method.| | Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.| | Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| | Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| @@ -103,7 +103,7 @@ If your organization supports multiple Windows operating systems, app control po |Possible answers|Design considerations| |--- |--- | -|Your organization's computers are running a combination of the following operating systems:
                      • Windows 11
                      • Windows 10
                      • Windows 8
                      • Windows 7
                      • Windows Vista
                      • Windows XP
                      • Windows Server 2012
                      • Windows Server 2008 R2
                      • Windows Server 2008
                      • Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

                        **Note:** If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                        AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.| +|Your organization's computers are running a combination of the following operating systems:
                      • Windows 11
                      • Windows 10
                      • Windows 8
                      • Windows 7
                      • Windows Vista
                      • Windows XP
                      • Windows Server 2012
                      • Windows Server 2008 R2
                      • Windows Server 2008
                      • Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

                        **Note:** If you're using the Basic User security level as assigned in SRP, those privileges aren't supported on computers running that support AppLocker.

                        AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.| |Your organization's computers are running only the following operating systems:
                      • Windows 11
                      • Windows 10
                      • Windows 8.1
                      • Windows 8
                      • Windows 7
                      • Windows Server 2012 R2
                      • Windows Server 2012
                      • Windows Server 2008 R2|Use AppLocker to create your application control policies.| ### Are there specific groups in your organization that need customized application control policies? @@ -112,7 +112,7 @@ Most business groups or departments have specific security requirements that per | Possible answers | Design considerations | | - | - | -| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
                        If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| +| Yes | For each group, you need to create a list that includes their application control requirements. Although this consideration may increase the planning time, it will most likely result in a more effective deployment.
                        If your GPO structure isn't currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| | No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| ### Does your IT department have resources to analyze application usage, and to design and manage the policies? @@ -121,12 +121,12 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| -| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as constructed as possible.| +| No | Consider a focused and phased deployment for specific groups by using a few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | ### Does your organization have Help Desk support? -Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. +Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow isn't hampered. | Possible answers | Design considerations | | - | - | @@ -140,7 +140,7 @@ Any successful application control policy implementation is based on your knowle | Possible answers | Design considerations | | - | - | | Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | -| No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.| +| No | You'll have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.| ### How do you deploy or sanction applications (upgraded or new) in your organization? @@ -159,7 +159,7 @@ Although SRP and AppLocker have the same goal, AppLocker is a major revision of | Possible answers | Design considerations | | - | - | -| Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

                        **Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.| +| Yes | You can't use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

                        **Note:** If you're using the Basic User security level as assigned in SRP, those permissions aren't supported on computers running the supported operating systems.| | No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. | ### What are your organization's priorities when implementing application control policies? @@ -168,19 +168,19 @@ Some organizations will benefit from application control policies as shown by an | Possible answers | Design considerations | | - | - | -| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | -| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| +| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run various softwares from different sources, including software that they developed. Therefore, if innovation and productivity are a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | +| Management: The organization is aware of and controls the applications it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This GPO shifts the burden of application access to the IT department, but it also has the benefit of controlling the number of applications that can be run and controlling the versions of those applications| | Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.| ### How are apps currently accessed in your organization? -AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. +AppLocker is effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a few rules. | Possible answers | Design considerations | | - | - | | Users run without administrative rights. | Apps are installed by using an installation deployment technology.| -| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

                        **Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. -| Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.| +| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

                        **Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it's important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. +| Users currently have administrator access, and it would be difficult to change this privilege.|Enforcing AppLocker rules isn't suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.| ### Is the structure in Active Directory Domain Services based on the organization's hierarchy? diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 92bd84efc4..5afe6be646 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -36,7 +36,7 @@ If no AppLocker rules for a specific rule collection exist, all files with that A rule can be configured to use either an allow or deny action: - **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -- **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. +- **Deny**. You can specify which files aren't allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. >**Important:**  You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.   diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 295497d103..d4eab6bcf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -33,9 +33,9 @@ This topic describes the result of applying AppLocker rule exceptions to rule co You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. -For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule). +For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but doesn't allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception for the rule). The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks. -To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. +To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 2a8b980f8f..9e63783239 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -1,6 +1,6 @@ --- title: Understanding the file hash rule condition in AppLocker (Windows) -description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. +description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 ms.reviewer: ms.author: macapara @@ -29,9 +29,9 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. +This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied. -File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. +File hash rules use a system-computed cryptographic hash of the identified file. For files that aren't digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. | File hash condition advantages | File hash condition disadvantages | | - | - | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 4aa28b9f43..e47540ebc1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -1,6 +1,6 @@ --- title: Understanding the path rule condition in AppLocker (Windows) -description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. +description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 ms.reviewer: ms.author: macapara @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. +This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied. The path condition identifies an application by its location in the file system of the computer or on the network. @@ -39,11 +39,11 @@ When creating a rule that uses a deny action, path conditions are less secure th |--- |--- | |
                      • You can easily control many folders or a single file.
                      • You can use the asterisk (*) as a wildcard character within path rules.|
                      • It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.
                      • You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.| -AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. +AppLocker doesn't enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule. -AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. +AppLocker uses path variables for well-known directories in Windows. Path variables aren't environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. | Windows directory or drive | AppLocker path variable | Windows environment variable | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 55d9299a0f..22ab048b3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -1,6 +1,6 @@ --- title: Understanding the publisher rule condition in AppLocker (Windows) -description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. +description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f ms.reviewer: ms.author: macapara @@ -29,25 +29,25 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. +This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied. Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization. -Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages +Publisher conditions are easier to maintain than file hash conditions and are more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition. |Publisher condition advantages|Publisher condition disadvantages| |--- |--- | -|
                      • Frequent updating is not required.
                      • You can apply different values within a certificate.
                      • A single rule can be used to allow an entire product suite.
                      • You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|
                      • The file must be signed.
                      • Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.| +|
                      • Frequent updating isn't required.
                      • You can apply different values within a certificate.
                      • A single rule can be used to allow an entire product suite.
                      • You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|
                      • The file must be signed.
                      • Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.| Wildcard characters can be used as values in the publisher rule fields according to the following specifications: - **Publisher** - The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field. + The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) isn't a valid wildcard character in this field. - **Product name** - The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field. + The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. A question mark (?) isn't a valid wildcard character in this field. - **File name** diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index e054f32aa9..a5ef9054dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -33,7 +33,7 @@ This topic for the IT professional describes the steps to create and maintain Ap ## Background and prerequisites -An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md). +An AppLocker reference device is a baseline device you can use to configure policies and can then be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md). An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment. @@ -43,7 +43,7 @@ You can perform AppLocker policy testing on the reference device by using the ** ## Step 1: Automatically generate rules on the reference device -With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). +With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For information on how to automatically generate rules, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). >**Note:**  If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules. @@ -55,7 +55,7 @@ AppLocker includes default rules for each rule collection. These rules are inten ## Step 3: Modify rules and the rule collection on the reference device -If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: +If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For information on how to export and save the policies, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) @@ -68,7 +68,7 @@ If AppLocker policies are currently running in your production environment, expo ## Step 4: Test and update AppLocker policy on the reference device -You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: +You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it's receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: - [Test an AppLocker Policy with Test-AppLockerPolicy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791772(v=ws.10)) - [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) @@ -77,17 +77,17 @@ You should test each set of rules to ensure that they perform as intended. The * ## Step 5: Export and import the policy into production -When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures: +When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that aren't managed by Group Policy) and checked for its intended effectiveness. To do these tasks, perform the following procedures: - [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) - [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or - [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) -If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). +If the AppLocker policy enforcement setting is **Audit only** and you're satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). ## Step 6: Monitor the effect of the policy in production -If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: +If more refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) - [Edit an AppLocker policy](edit-an-applocker-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 40d68279fe..37a691a28f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -34,7 +34,7 @@ This topic for IT professionals describes concepts and procedures to help you ma ## Using AppLocker and Software Restriction Policies in the same domain AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running -Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, +Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. @@ -45,15 +45,15 @@ The following table compares the features and functions of Software Restriction |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

                        AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.| |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

                        SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.| -|File types that can be controlled|SRP can control the following file types:
                      • Executables
                      • Dlls
                      • Scripts
                      • Windows Installers

                        SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
                      • Executables
                      • Dlls
                      • Scripts
                      • Windows Installers
                      • Packaged apps and installers

                        AppLocker maintains a separate rule collection for each of the five file types.| +|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

                        SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.| +|File types that can be controlled|SRP can control the following file types:
                      • Executables
                      • Dlls
                      • Scripts
                      • Windows Installers

                        SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
                      • Executables
                      • Dlls
                      • Scripts
                      • Windows Installers
                      • Packaged apps and installers

                        AppLocker maintains a separate rule collection for each of the five file types.| |Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:
                      • Executables (.exe, .com)
                      • Dlls (.ocx, .dll)
                      • Scripts (.vbs, .js, .ps1, .cmd, .bat)
                      • Windows Installers (.msi, .mst, .msp)
                      • Packaged app installers (.appx)| |Rule types|SRP supports four types of rules:
                      • Hash
                      • Path
                      • Signature
                      • Internet zone|AppLocker supports three types of rules:
                      • File hash
                      • Path
                      • Publisher| -|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.

                        Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.| -|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

                        SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.| +|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.

                        Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, and not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.| +|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

                        SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.| |Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.| |Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.| -|Support for rule exceptions|SRP does not support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.| -|Support for audit mode|SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.| -|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.| +|Support for rule exceptions|SRP doesn't support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.| +|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.| +|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.| |Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 636ea5f18b..2751109b02 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -43,7 +43,7 @@ Local Security policy snap-in, you must be a member of the local **Administrator The [Get-AppLockerFileInformation](/powershell/module/applocker/get-applockerfileinformation) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. -File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. +File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information. ### Set AppLocker policy @@ -62,6 +62,6 @@ list of file information. The [Test-AppLockerPolicy](/powershell/module/applocker/test-applockerpolicy) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user. -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 0274a768dd..59111cd93d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -39,7 +39,7 @@ The AppLocker log contains information about applications that are affected by A - The rule name - The security identifier (SID) for the user or group identified in the rule -Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). +Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). @@ -52,14 +52,14 @@ The following table contains information about the events that you can use to de | Event ID | Level | Event message | Description | | - | - | - | - | -| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| | 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| @@ -68,12 +68,12 @@ The following table contains information about the events that you can use to de | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| | 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| | 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| -| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.| +| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy was enforced.| Added in Windows Server 2016 and Windows 10.| | 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| | 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| | 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit Applocker Policy. | Added in Windows Server 2016 and Windows 10.| +| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10.| | 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 47f5faeacd..96c1644d3a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -37,7 +37,7 @@ You might want to deploy application control policies in Windows operating syste ## Use SRP and AppLocker in the same domain -SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). +SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they're applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). >**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO. @@ -45,15 +45,15 @@ The following scenario provides an example of how each type of policy would affe | Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP | | - | - | - | - | -| Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| -| Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| -| Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| +| Windows 10, Windows 8.1, Windows 8, and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| +| Windows Vista| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| +| Windows XP| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| >**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md). ## Test and validate SRPs and AppLocker policies that are deployed in the same environment -Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. +Because SRPs and AppLocker policies function differently, they shouldn't be implemented in the same GPO. This rule, when implemented, makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. ### Step 1: Test the effect of SRPs diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 1196a83dee..dc46fa241d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -76,10 +76,10 @@ The following table compares the application control functions of Software Restr |User support|SRP allows users to install applications as an administrator.|AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.

                        AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.

                        AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.| |Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.| -|Block malicious scripts|Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.| +|Block malicious scripts|Rules for blocking malicious scripts prevent all scripts associated with the Windows Script Host from running, except those scripts that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.| |Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.| |Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.| -|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.| +|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. An administrator uses AppLocker to specify the user to whom a specific rule should apply.| ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 4379162473..4ad45cf9e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -37,7 +37,7 @@ This topic for IT professionals describes AppLocker rule types and how to work w | [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.| | [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.| | [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.| -| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.| +| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.| | [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.| | [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.| | [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.| @@ -49,11 +49,11 @@ The three AppLocker enforcement modes are described in the following table. The | Enforcement mode | Description | | - | - | -| **Not configured** | This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| +| **Not configured** | This is the default setting, which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| | **Enforce rules** | Rules are enforced.| -| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection are not enforced| +| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection aren't enforced| -When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied. +When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged, and the enforcement mode setting of the winning GPO is applied. ## Rule collections The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection. @@ -70,9 +70,9 @@ The AppLocker console is organized into rule collections, which are executable f When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. -The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). +The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). -EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file. +EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it's a valid PE file. ## Rule conditions @@ -84,13 +84,13 @@ Rule conditions are criteria that help AppLocker identify the apps to which the ### Publisher -This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. +This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. If there's executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. > **Note:** Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers. > > **Note:** Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files. -When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields. +When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving up the slider or by using a wildcard character (\*) in the product, file name, or version number fields. >**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider. @@ -108,8 +108,8 @@ The following table describes how a publisher condition is applied. | **All signed files** | All files that are signed by any publisher.| | **Publisher only**| All files that are signed by the named publisher.| | **Publisher and product name**| All files for the specified product that are signed by the named publisher.| -| **Publisher and product name, and file name**| Any version of the named file or package for the named product that are signed by the publisher.| -| **Publisher, product name, file name, and file version**| **Exactly**
                        The specified version of the named file or package for the named product that are signed by the publisher.| +| **Publisher and product name, and file name**| Any version of the named file or package for the named product that is signed by the publisher.| +| **Publisher, product name, file name, and file version**| **Exactly**
                        The specified version of the named file or package for the named product that is signed by the publisher.| | **Publisher, product name, file name, and file version**| **And above**
                        The specified version of the named file or package and any new releases for the product that are signed by the publisher.| | **Publisher, product name, file name, and file version**| **And below**
                        The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.| | **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.| @@ -184,13 +184,13 @@ A rule can be configured to use allow or deny actions: ## Rule exceptions -You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor. +You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor. -The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. +The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. ## DLL rule collection -Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules. +Because the DLL rule collection isn't enabled by default, you must perform the following procedure before you can create and enforce DLL rules. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. @@ -208,21 +208,21 @@ Membership in the local **Administrators** group, or equivalent, is the minimum You can create rules by using two AppLocker wizards: 1. The Create Rules Wizard enables you to create one rule at a time. -2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only. +2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or if there are packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only. -## Additional considerations +## Other considerations -- By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications. -- There are two types of AppLocker conditions that do not persist following an update of an app: +- By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications. +- There are two types of AppLocker conditions that don't persist following an update of an app: - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released. - - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific. + - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific. -- If an app is not digitally signed, you cannot use a publisher rule condition for that app. -- AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. +- If an app isn't digitally signed, you can't use a publisher rule condition for that app. +- AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. - The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8. -- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection does not contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection. -- When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log. +- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection doesn't contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection. +- When an AppLocker rule collection is set to **Audit only**, the rules aren't enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log. - A custom configured URL can be included in the message that is displayed when an app is blocked. -- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed. +- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they can't run apps that aren't allowed. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 839aa3a791..cb5391c9a3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/12/2022 +ms.date: 08/26/2022 ms.technology: windows-sec --- @@ -29,30 +29,28 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Windows 10 (version 1703) introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. +Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM) or Microsoft Intune. ## How does a managed installer work? -Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer. +Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and any child processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer. You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin. ## Security considerations with managed installer -Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. +Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules do. Managed installer is best suited where users operate as standard user, and where all software is deployed and installed by a software distribution solution such as MEMCM. -Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. +Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of your WDAC policies when the managed installer option is allowed. -If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. +If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of your WDAC policies. -Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. +Some application installers may automatically run the application at the end of the installation process. If the application runs automatically, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. ## Known limitations with managed installer - Application control, based on managed installer, doesn't support applications that self-update. If an application that was deployed by a managed installer later updates itself, the updated application files won't include the origin information from the managed installer, and they might not be able to run. When you rely on managed installers, you must deploy and install all application updates by using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. -- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md). - - Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. - The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run. @@ -64,13 +62,17 @@ To turn on managed installer tracking, you must: - Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs. - Enable AppLocker's Application Identity and AppLockerFltr services. +> [!NOTE] +> MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy. + ### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs -Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. +The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdlets can't be directly used to create rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. + > [!NOTE] > Only EXE file types can be designated as managed installers. -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you're designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability. ```powershell Get-ChildItem ${env:ProgramFiles(x86)}'\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher -User Everyone -Xml > AppLocker_MI_PS_ISE.xml @@ -125,7 +127,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. +4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This condition-based inclusion ensures the policy will merge successfully on devices that may already have an AppLocker policy in place. ```xml @@ -205,7 +207,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ## Enable the managed installer option in WDAC policy In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. +This setting can be defined by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option. @@ -232,7 +234,7 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables ## Remove Managed Installer feature -To remove the Managed Installer feature from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems). +To remove the Managed Installer feature from the device, you'll need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems). ## Related articles diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 92f944b419..70a4c7cad7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -31,7 +31,7 @@ ms.technology: windows-sec ## Using fsutil to query SmartLocker EA -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events. +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. **Example:** diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 26a241db0e..024c53413c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,6 +1,6 @@ --- title: Create a code signing cert for Windows Defender Application Control (Windows) -description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally. +description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -22,93 +22,100 @@ ms.technology: windows-sec **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). +As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). -If you have an internal CA, complete these steps to create a code signing certificate. -Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. -ECDSA is not supported. +If you have an internal CA, complete these steps to create a code signing certificate. -1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. +> [!WARNING] +> Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> +> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). +> - Use RSA SHA-256 only. ECDSA isn't supported. +> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. +> - Keys must be less than or equal to 4K key size +> -2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console. +1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. + +2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console. ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png) Figure 1. Manage the certificate templates -3. In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**. +3. In the navigation pane, right-click the Code Signing certificate, and then select **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list. -5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**. +5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**. -6. On the **Request Handling** tab, select the **Allow private key to be exported** check box. +6. On the **Request Handling** tab, select the **Allow private key to be exported** check box. -7. On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**. +7. On the **Extensions** tab, select the **Basic Constraints** check box, and then select **Edit**. -8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. +8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png) Figure 2. Select constraints on the new template -9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**. +9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**. 10. On the **Subject Name** tab, select **Supply in the request**. 11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate. -12. Click **OK** to create the template, and then close the Certificate Template Console. +12. Select **OK** to create the template, and then close the Certificate Template Console. When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps: -1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3. +1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3. ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png) Figure 3. Select the new certificate template to issue - A list of available templates to issue appears, including the template you just created. + A list of available templates to issue appears, including the template you created. -2. Select the WDAC Catalog signing certificate, and then click **OK**. +2. Select the WDAC Catalog signing certificate, and then select **OK**. Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: -1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**. +1. In MMC, from the **File** menu, select **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**. -2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**. +2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then select **Request New Certificate**. -3. Click **Next** twice to get to the certificate selection list. +3. Select **Next** twice to get to the certificate selection list. -4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. +4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png) Figure 4. Get more information for your code signing certificate -5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.** +5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then select **Add**. When added, select **OK.** -6. Enroll and finish. +6. Enroll and finish. >[!NOTE] >If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. -This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: +This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing will happen on the same computer you used to request the certificate, you can skip the following steps. If you'll be signing on another computer, you need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: -1. Right-click the certificate, point to **All Tasks**, and then click **Export**. +1. Right-click the certificate, point to **All Tasks**, and then select **Export**. -2. Click **Next**, and then select **Yes, export the private key**. +2. Select **Next**, and then select **Yes, export the private key**. -3. Choose the default settings, and then select **Export all extended properties**. +3. Choose the default settings, and then select **Export all extended properties**. -4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name. +4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name. When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them. @@ -117,4 +124,3 @@ When the certificate has been exported, import it into the personal store for th - [Windows Defender Application Control](windows-defender-application-control.md) - [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) - diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 3686f2ecb5..f9b070ff3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,6 +1,6 @@ --- -title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows) -description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. +title: Create a WDAC policy using a reference computer (Windows) +description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,83 +11,133 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/03/2018 +ms.date: 08/08/2022 ms.technology: windows-sec --- -# Create a WDAC policy for fixed-workload devices using a reference computer +# Create a WDAC policy using a reference computer **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. - -For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. -Then create the WDAC policy by scanning the system for installed applications. -The policy file is converted to binary format when it gets created so that Windows can interpret it. - -## Overview of the process of creating Windows Defender Application Control policies - -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Windows Defender Application Control policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). - -Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed. - -If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity. > [!NOTE] -> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. +> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -Each installed software application should be validated as trustworthy before you create a policy. -We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. -Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. -You can remove or disable such software on the reference computer. +As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -To create a Windows Defender Application Control policy, copy each of the following commands into an elevated Windows PowerShell session, in order: +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. -1. Initialize variables that you will use. +## Create a custom base policy using a reference device + +Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on. + +> [!NOTE] +> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.

                        Each installed software application should be validated as trustworthy before you create a policy.

                        We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer. + +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's critical infrastructure servers: + +- All devices are running Windows Server 2019 or above; +- All apps are centrally managed and deployed; +- No interactive users. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. **“Windows works”** rules that authorize: + - Windows + - WHQL (third-party kernel drivers) + - Windows Store signed apps + +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +To create the WDAC policy, Alice runs each of the following commands in an elevated Windows PowerShell session, in order: + +1. Initialize variables. ```powershell $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName="FixedWorkloadPolicy_Audit" - $WDACPolicy=$PolicyPath+$PolicyName+".xml" - $WDACPolicyBin=$PolicyPath+$PolicyName+".bin" + $LamnaServerPolicy=$PolicyPath+$PolicyName+".xml" + $DefaultWindowsPolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml" + ``` 2. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: ```powershell - New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt + New-CIPolicy -FilePath $LamnaServerPolicy -Level SignedVersion -Fallback FilePublisher,FileName,Hash -ScanPath c:\ -UserPEs -MultiplePolicyFormat -OmitPaths c:\Windows,'C:\Program Files\WindowsApps\',c:\windows.old\,c:\users\ 3> CIPolicyLog.txt ``` > [!Note] - > - > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). + > > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). - > > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the tool will scan the C-drive by default. - > + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. If you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers. In other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + > - To create a policy for Windows 10 1903 and above, including support for supplemental policies, use **-MultiplePolicyFormat**. + > - To specify a list of paths to exclude from the scan, use the **-OmitPaths** option and supply a comma-delimited list of paths. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: +3. Merge the new policy with the WindowsDefault_Audit policy to ensure all Windows binaries and kernel drivers will load. + + ```powershell + Merge-CIPolicy -OutputFilePath $LamnaServerPolicy -PolicyPaths $LamnaServerPolicy,$DefaultWindowsPolicy + ``` + +4. Give the new policy a descriptive name, and initial version number: + + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -PolicyName $PolicyName + Set-CIPolicyVersion -FilePath $LamnaServerPolicy -Version "1.0.0.0" + ``` + +5. Modify the merged policy to set policy rules: + + ```powershell + Set-RuleOption -FilePath $LamnaServerPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaServerPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaServerPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaServerPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaServerPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaServerPolicy -Option 19 # Dynamic Code Security + ``` + +6. If appropriate, add more signer or file rules to further customize the policy for your organization. + +7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: ```powershell - ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin + [xml]$LamnaServerPolicyXML = Get-Content $LamnaServerPolicy + $PolicyId = $LamnaServerPolicyXML.SiPolicy.PolicyId + $LamnaServerPolicyBin = $PolicyPath+$PolicyId+".cip" + ConvertFrom-CIPolicy $LamnaServerPolicy $LamnaServerPolicyBin ``` -After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +8. Upload the base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). -> [!NOTE] -> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). +Alice now has an initial policy for Lamna's critical infrastructure servers that is ready to deploy in audit mode. -We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md). +## Create a custom base policy to minimize user impact on in-use client devices +Alice previously created a policy for the organization's fully managed devices. Alice has included the fully managed device policy as part of Lamna's device build process so all new devices now begin with WDAC enabled. She's preparing to deploy the policy to systems that are already in use, but is worried about causing disruption to users' productivity. To minimize that risk, Alice decides to take a different approach for those systems. She'll continue to deploy the fully managed device policy in audit mode to those devices, but for enforcement mode she'll merge the fully managed device policy rules with a policy created by scanning the device for all previously installed software. In this way, each device is treated as its own "golden" system. +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed in-use devices: + +- Everything described for Lamna's [Fully Managed Devices](create-wdac-policy-for-fully-managed-devices.md); +- Users have installed apps that they need to continue to run. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. Everything included in the Fully Managed Devices policy +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +For Lamna's existing, in-use devices, Alice deploys a script along with the Fully Managed Devices policy XML (not the converted WDAC policy binary). The script then generates a custom policy locally on the client as described in the previous section, but instead of merging with the DefaultWindows policy, the script merges with Lamna's Fully Managed Devices policy. Alice also modifies the steps above to match the requirements of this different use case. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index b5aca1e44a..c15d853296 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -45,7 +45,7 @@ To create effective Windows Defender Application Control deny policies, it's cru 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. > [!NOTE] -> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work). +> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#how-does-wdac-work-with-the-isg). ## Interaction with Existing Policies @@ -155,10 +155,10 @@ Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPo Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options: -1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md) +1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM)](deployment/deploy-windows-defender-application-control-policies-using-intune.md) 2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md) 3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md) -4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md) +4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index c0296ea8e6..2d13639669 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -30,16 +30,16 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. +This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of WDAC. -Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. +Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers aren't granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. ## Define the "circle-of-trust" for fully managed devices @@ -51,26 +51,26 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - Sometimes, IT staff install apps directly to these devices without using Configuration Manager; - All users except IT are standard users on these devices. -Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules. +Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an extra managed installer for WDAC and allows her to remove the need for filepath rules. Based on the above, Alice defines the pseudo-rules for the policy: 1. **“Windows works”** rules that authorize: - Windows - - WHQL (3rd party kernel drivers) + - WHQL (third-party kernel drivers) - Windows Store signed apps 2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. 3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer) -The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: +The critical differences between this set of pseudo-rules and those pseudo-rules defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: - Removal of the Intelligent Security Graph (ISG) option; and - Removal of filepath rules. ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully managed devices and decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: @@ -82,8 +82,9 @@ Alice follows these steps to complete this task: 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $LamnaPolicy=$PolicyPath+$PolicyName+".xml" $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` @@ -113,7 +114,7 @@ Alice follows these steps to complete this task: Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security ``` -6. If appropriate, add additional signer or file rules to further customize the policy for your organization. +6. If appropriate, add more signer or file rules to further customize the policy for your organization. 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format: @@ -121,7 +122,9 @@ Alice follows these steps to complete this task: > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. ```powershell - $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy + $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId + $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip" ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin ``` @@ -134,7 +137,7 @@ At this point, Alice now has an initial policy that is ready to deploy in audit Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: - **Users with administrative access**
                        - Although applying to fewer users, Lamna still allows some IT staff to log in to its fully managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. + Although applying to fewer users, Lamna still allows some IT staff to sign in to its fully managed devices as administrator. This privilege allows these users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index d03bb18a75..2ef75b15be 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -30,16 +30,16 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics. +This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles. > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing that Lamna currently has loose application usage policies and a culture of maximum app flexibility for users, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads. -For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. +For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. ## Define the "circle-of-trust" for lightly managed devices @@ -49,16 +49,16 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune. - Some, but not all, apps are deployed using Configuration Manager; - Most users are local administrators on their devices; -- Some teams may need additional rules to authorize specific apps that don't apply generally to all other users. +- Some teams may need more rules to authorize specific apps that don't apply generally to all other users. Based on the above, Alice defines the pseudo-rules for the policy: 1. **“Windows works”** rules that authorize: - Windows - - WHQL (3rd party kernel drivers) + - WHQL (third-party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function. +2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. 3. **Allow Managed Installer** (Configuration Manager configured as a managed installer) 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) 5. **Admin-only path rules** for the following locations: @@ -68,7 +68,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: @@ -112,7 +112,7 @@ Alice follows these steps to complete this task: Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security ``` -6. Add rules to allow windir and Program Files directories: +6. Add rules to allow the Windows and Program Files directories: ```powershell $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" @@ -121,7 +121,7 @@ Alice follows these steps to complete this task: Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules ``` -7. If appropriate, add additional signer or file rules to further customize the policy for your organization. +7. If appropriate, add more signer or file rules to further customize the policy for your organization. 8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: @@ -133,7 +133,7 @@ Alice follows these steps to complete this task: ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin ``` -9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). +9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/), or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. @@ -142,7 +142,7 @@ At this point, Alice now has an initial policy that is ready to deploy in audit In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: - **Users with administrative access**
                        - By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. + This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. @@ -161,10 +161,10 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Limit who can elevate to administrator on the device. - **Intelligent Security Graph (ISG)**
                        - See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph) + See [security considerations with the Intelligent Security Graph](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#security-considerations-with-the-isg-option) Possible mitigations: - - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules. + - Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **Supplemental policies**
                        Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 348fbacaf2..65565ec200 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -40,9 +40,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must > [!NOTE] > When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. -1. Be sure that a Windows Defender Application Control policy is currently deployed in audit mode on the computer on which you will run Package Inspector. +1. Be sure that a Windows Defender Application Control policy is currently deployed in audit mode on the computer on which you'll run Package Inspector. - Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. + Package Inspector doesn't always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. > [!NOTE] > This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it. @@ -58,7 +58,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future WDAC policy may allow the application to run but not to be installed. -4. Install the application. Install it to the same drive that the application installer is located on (the drive you are scanning). Also, while Package Inspector is running, do not run any installations or updates that you don't want to capture in the catalog. +4. Install the application. Install it to the same drive that the application installer is located on (the drive you're scanning). Also, while Package Inspector is running, don't run any installations or updates that you don't want to capture in the catalog. > [!IMPORTANT] > Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time. @@ -71,9 +71,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must This step is necessary to ensure that the scan has captured all binaries. -8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it is updated, and then close and reopen the application. +8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it's updated, and then close and reopen the application. -9. When you have confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate. +9. When you've confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate. For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. @@ -98,22 +98,22 @@ Packages can fail for the following reasons: - Package is too large for default USN Journal or Event Log sizes - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop - - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start) + - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start) - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small) - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously) - Package files that change hash each time the package is installed - - Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector + - Package Inspector is incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this hash-change by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package won't work with Package Inspector - Files with an invalid signature blob or otherwise "unhashable" files - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec. - - Windows Defender Application Control uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) - - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) + - Windows Defender Application Control uses Authenticode Hashes to validate files when they're running. If the file is unhashable via the authenticode SIP, there's no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) + - Recent versions of InstallShield packages that use custom actions can hit this condition. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) ## Catalog signing with SignTool.exe -To sign a catalog file you generated by using PackageInspector.exe, you need the following: +To sign a catalog file you generated by using PackageInspector.exe, you need: - SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later) @@ -148,15 +148,15 @@ To sign the existing catalog file, copy each of the following commands into an e 5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. - For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager. Doing this also simplifies the management of catalog versions. + For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager, which also simplifies the management of catalog versions. ## Add a catalog signing certificate to a Windows Defender Application Control policy After the catalog file is signed, add the signing certificate to a WDAC policy, as described in the following steps. -1. If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. +1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: +2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you'll later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` @@ -212,9 +212,9 @@ To simplify the management of catalog files, you can use Group Policy preference **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat** - For the catalog file name, use the name of the catalog you are deploying. + For the catalog file name, use the name of the catalog you're deploying. -10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application. +10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Enabling this option ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application. 11. Click **OK** to complete file creation. @@ -224,7 +224,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s ## Deploy catalog files with Microsoft Endpoint Configuration Manager -As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: +As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: >[!NOTE] >The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization. @@ -263,7 +263,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c 7. Accept the defaults for the rest of the wizard, and then close the wizard. -After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you just created to a test collection: +After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you created to a test collection: 1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**. @@ -335,9 +335,9 @@ When catalog files have been deployed to the computers within your environment, 8. Click **OK**. -9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files. +9. Now that you've created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files. -At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: +At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you'll be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: 1. Open the Configuration Manager console, and select the Assets and Compliance workspace. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 37126d5855..dbe28e8b2a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: +Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: 1. Enforce and Audit Side-by-Side - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy @@ -49,11 +49,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a - Multiple base policies: intersection - Only applications allowed by both policies run without generating block events - Base + supplemental policy: union - - Files that are allowed by either the base policy or the supplemental policy are not blocked + - Files that are allowed by either the base policy or the supplemental policy aren't blocked ## Creating WDAC policies in Multiple Policy Format -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash @@ -87,7 +87,7 @@ Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBase ### Merging policies -When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. +When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. ## Deploying multiple policies @@ -107,9 +107,16 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
                        -However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. -See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability. +For more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies. + +### Known Issues in Multiple Policy Format + +* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. +* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit. +* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot. + diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index b8f3362555..287aba1869 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -1,22 +1,19 @@ --- -title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows) -description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware +title: Deploy Windows Defender Application Control policies with Configuration Manager +description: You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. ms.prod: m365-security -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: jogeurte -ms.manager: jsuther -manager: dansimp -ms.date: 07/19/2021 ms.technology: windows-sec -ms.topic: article +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: aaroncz +ms.author: jogeurte +manager: jsuther +ms.date: 06/27/2022 +ms.topic: how-to ms.localizationpriority: medium --- -# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM) +# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager **Applies to:** @@ -24,25 +21,75 @@ ms.localizationpriority: medium - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md). You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines. -## Use MEMCM's built-in policies +## Use Configuration Manager's built-in policies -Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: +Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: - Windows components - Microsoft Store apps - Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer) -- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) -- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints. +- (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG) +- (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints. -Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. +Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. + +### Create a WDAC Policy in Configuration Manager + +1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy** + + ![Create a WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy.jpg) + +2. Enter the name of the policy > **Next** +3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes** +4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only) +5. Select **Next** + + ![Create an enforced WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy-2.jpg) + +6. Select **Add** to begin creating rules for trusted software + + ![Create a WDAC path rule in Configuration Manager.](../images/memcm/memcm-create-wdac-rule.jpg) + +7. Select **File** or **Folder** to create a path rule > **Browse** + + ![Select a file or folder to create a path rule.](../images/memcm/memcm-create-wdac-rule-2.jpg) + +8. Select the executable or folder for your path rule > **OK** + + ![Select the executable file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg) + +9. Select **OK** to add the rule to the table of trusted files or folder +10. Select **Next** to navigate to the summary page > **Close** + + ![Confirm the WDAC path rule in Configuration Manager.](../images/memcm/memcm-confirm-wdac-rule.jpg) + +### Deploy the WDAC policy in Configuration Manager + +1. Right-click the newly created policy > **Deploy Application Control Policy** + + ![Deploy WDAC via Configuration Manager.](../images/memcm/memcm-deploy-wdac.jpg) + +2. Select **Browse** + + ![Select Browse.](../images/memcm/memcm-deploy-wdac-2.jpg) + +3. Select the Device Collection you created earlier > **OK** + + ![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg) + +4. Change the schedule > **OK** + + ![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg) For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). +Download the entire [WDAC in Configuration Manager lab paper](https://download.microsoft.com/download/c/f/d/cfd6227c-8ec4-442d-8c50-825550d412f6/WDAC-Deploy-WDAC-using-MEMCM.pdf). + ## Deploy custom WDAC policies using Packages/Programs or Task Sequences Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md similarity index 86% rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index 23f551bee1..5fd44350ee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 02/28/2018 +ms.date: 06/27/2022 ms.technology: windows-sec --- @@ -22,14 +22,13 @@ ms.technology: windows-sec **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +- Windows 10 +- Windows 11 +- Windows Server 2016 and above > [!NOTE] +> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +> > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. @@ -41,9 +40,9 @@ To deploy and manage a Windows Defender Application Control policy with Group Po 2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**. > [!NOTE] - > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md). + > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md). - ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png) + ![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png) 3. Name the new GPO. You can choose any name. @@ -51,7 +50,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po 5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**. - ![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png) + ![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png) 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. @@ -60,7 +59,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po > [!NOTE] > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. - ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png) + ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png) > [!NOTE] > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md similarity index 73% rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 143fbdcc2e..407a00c553 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 04/29/2020 +ms.date: 06/27/2022 ms.technology: windows-sec --- @@ -22,21 +22,21 @@ ms.technology: windows-sec **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +> [!NOTE] +> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. +You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. ## Use Intune's built-in policies Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run: - Windows components -- 3rd party hardware and software kernel drivers +- Third-party hardware and software kernel drivers - Microsoft Store-signed apps - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) @@ -51,7 +51,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo ## Deploy WDAC policies with custom OMA-URI > [!NOTE] -> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy. +> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy. ### Deploy custom WDAC policies on Windows 10 1903+ @@ -68,23 +68,23 @@ The steps to use Intune's custom OMA-URI functionality are: 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - **Data type**: Base64 - - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. + - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] - > ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png) + > ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png) > [!NOTE] > For the _Policy GUID_ value, do not include the curly brackets. ### Remove WDAC policies on Windows 10 1903+ -Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot. +Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the WDAC policy on the next reboot. ### For pre-1903 systems #### Deploying policies -The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: +The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -100,4 +100,4 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke #### Removing policies -Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy. +Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 7f04db97e1..0c7726f27d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -33,7 +33,7 @@ This topic covers how to disable unsigned or signed WDAC policies. ## Disable unsigned Windows Defender Application Control policies -There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: +There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: - <EFI System Partition>\\Microsoft\\Boot\\ - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ @@ -43,7 +43,7 @@ There may come a time when an administrator wants to disable a Windows Defender ## Disable signed Windows Defender Application Control policies within Windows -Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. +Signed policies protect Windows from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. > [!NOTE] > For reference, signed WDAC policies should be replaced and removed from the following locations: @@ -68,7 +68,7 @@ Signed policies protect Windows from administrative manipulation as well as malw 5. Restart the client computer. -If the signed Windows Defender Application Control policy has been deployed using by using Group Policy, you must complete the following steps: +If the signed Windows Defender Application Control policy has been deployed by using Group Policy, you must complete the following steps: 1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. @@ -90,7 +90,7 @@ If the signed Windows Defender Application Control policy has been deployed usin ## Disable signed Windows Defender Application Control policies within the BIOS -There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: +There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it's important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: - <EFI System Partition>\\Microsoft\\Boot\\ - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e96c186076..ef245ab5bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -1,5 +1,5 @@ --- -title: Understanding Application Control event IDs (Windows) +title: Understanding Application Control event IDs description: Learn what different Windows Defender Application Control event IDs signify. ms.prod: m365-security ms.technology: windows-sec @@ -47,7 +47,7 @@ A Windows Defender Application Control policy logs events locally in Windows Eve | Event ID | Explanation | |--------|-----------| | 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. | -| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes.md). | +| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). | | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. | @@ -91,7 +91,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Event ID 3099 Options -The Application Control policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. +The Application Control policy rule option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. - Access Event Viewer. - Access the Code integrity 3099 event. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index d51eeb7f4d..751028a760 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -1,48 +1,43 @@ --- -title: Windows Defender Application Control Feature Availability +title: Windows Defender Application Control feature availability description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: denisebmsft -ms.reviewer: jgeurten -ms.author: deniseb -manager: dansimp -ms.date: 05/09/2022 -ms.custom: asr ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: aaroncz +ms.author: jogeurte +manager: jsuther +ms.date: 06/27/2022 +ms.custom: asr +ms.topic: overview --- # Windows Defender Application Control and AppLocker feature availability **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more. | Capability | Windows Defender Application Control | AppLocker | |-------------|------|-------------| | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | | SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
                        For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
                        Policies deployed through MDM are effective on all SKUs. | -| Management solutions |

                        • [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
                        • [Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
                        • [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
                        • PowerShell
                        |
                        • [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
                        • Configuration Manager (custom policy deployment via Software Distribution only)
                        • [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
                        • PowerShell
                            • | +| Management solutions |
                            • [Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
                            • [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)
                            • [Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
                            • PowerShell
                            |
                            • [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
                            • Configuration Manager (custom policy deployment via software distribution only)
                            • [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
                            • PowerShell
                                • | | Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | | Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available | | Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available | | Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available | | Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available | | Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available | -| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability checks enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | +| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions aren't supported. Runtime user-writeability checks enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | | COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available | | Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ | -| Enforceable file types |
                                • Driver files: .sys
                                • Executable files: .exe and .com
                                • DLLs: .dll and .ocx
                                • Windows Installer files: .msi, .mst, and .msp
                                • Scripts: .ps1, .vbs, and .js
                                • Packaged apps and packaged app installers: .appx
                                |
                                • Executable files: .exe and .com
                                • [Optional] DLLs: .dll and .ocx
                                • Windows Installer files: .msi, .mst, and .msp
                                • Scripts: .ps1, .bat, .cmd, .vbs, and .js
                                • Packaged apps and packaged app installers: .appx
                                | +| Enforceable file types |
                                • Driver files: .sys
                                • Executable files: .exe and .com
                                • DLLs: .dll and .ocx
                                • Windows Installer files: .msi, .mst, and .msp
                                • Scripts: .ps1, .vbs, and .js
                                • Packaged apps and packaged app installers: .appx
                                |
                                • Executable files: .exe and .com
                                • [Optional] DLLs: .dll, .rll and .ocx
                                • Windows Installer files: .msi, .mst, and .msp
                                • Scripts: .ps1, .bat, .cmd, .vbs, and .js
                                • Packaged apps and packaged app installers: .appx
                                | | Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md) | Not available | diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg new file mode 100644 index 0000000000..3b06ba7568 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg new file mode 100644 index 0000000000..6e454dc47b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg new file mode 100644 index 0000000000..22d7cdd6d3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg new file mode 100644 index 0000000000..f7de3317e4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg new file mode 100644 index 0000000000..f2d19714d5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg new file mode 100644 index 0000000000..699776d0a6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg new file mode 100644 index 0000000000..3149ccca4f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg new file mode 100644 index 0000000000..178c8bc87a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg new file mode 100644 index 0000000000..917b78e14a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg new file mode 100644 index 0000000000..03db06521a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 2f70a0b792..b39d1f45b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -99,13 +99,13 @@ landingContent: - linkListType: tutorial links: - text: Deployment with MDM - url: deploy-windows-defender-application-control-policies-using-intune.md - - text: Deployment with MEMCM + url: deployment/deploy-windows-defender-application-control-policies-using-intune.md + - text: Deployment with Configuration Manager url: deployment/deploy-wdac-policies-with-memcm.md - text: Deployment with script and refresh policy url: deployment/deploy-wdac-policies-with-script.md - - text: Deployment with Group Policy - url: deploy-windows-defender-application-control-policies-using-group-policy.md + - text: Deployment with group policy + url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md # Card - title: Learn how to monitor WDAC events linkLists: diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 71bcec1a37..c309371277 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -34,7 +34,7 @@ This topic for IT professionals describes concepts and lists procedures to help ## Understanding Packaged Apps and Packaged App Installers Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. -With packaged apps, it is possible to control the entire app by using a single Windows Defender Application Control rule. +With packaged apps, it's possible to control the entire app by using a single Windows Defender Application Control rule. Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, these components don't always share common attributes such as the software’s publisher name, product name, and product version. Therefore, Windows Defender Application Control controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. @@ -43,8 +43,8 @@ Typically, an app consists of multiple components: the installer that is used to Windows Defender Application Control policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: -- **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. -- **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your Windows Defender Application Control policies, it is important to understand whether an app that you are allowing can make system-wide changes. +- **Installing the apps**   All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. +- **Changing the system state**   Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your Windows Defender Application Control policies, it's important to understand whether an app that you're allowing can make system-wide changes. - **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means. Windows Defender Application Control uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both. @@ -57,7 +57,7 @@ Just as there are differences in managing each rule collection, you need to mana 2. Create WDAC rules for specific packaged apps based on your policy strategies. For more information, see [Deploy Windows Defender Application Control policy (WDAC) rules and file rules](select-types-of-rules-to-create.md). -3. Continue to update the WDAC policies as new package apps are introduced into your environment. To do this, see [Merge WDAC policies](merge-windows-defender-application-control-policies.md). +3. Continue to update the WDAC policies as new package apps are introduced into your environment. For information on how to do this update, see [Merge WDAC policies](merge-windows-defender-application-control-policies.md). ## Blocking Packaged Apps @@ -65,7 +65,7 @@ You can now use `New-CIPolicyRule -Package $Package -Deny` to block packaged app ### Blocking Packaged Apps Which Are Installed on the System -Below are the list of steps you can follow to block one or more packaged apps in the case that the apps are on the system you are using the WDAC PowerShell cmdlets on: +Below are the list of steps you can follow to block one or more packaged apps in the case that the apps are on the system you're using the WDAC PowerShell cmdlets on: 1. Get the app identifier for an installed package @@ -116,9 +116,9 @@ Below are the list of steps you can follow to block one or more packaged apps in ```powershell Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = "C:\compiledpolicy.bin"} ``` - ### Blocking Packaged Apps Which Are Not Installed on the System + ### Blocking Packaged Apps Which Aren't Installed on the System -If the app you intend to block is not installed on the system you are using the WDAC PowerShell cmdlets on, then follow the steps below: +If the app you intend to block isn't installed on the system you're using the WDAC PowerShell cmdlets on, then follow the steps below: 1. Create a dummy rule using Steps 1-5 in the Blocking Packaged Apps Which Are Installed on the System section above @@ -148,4 +148,4 @@ The method for allowing specific packaged apps is similar to the method outlined $Rule = New-CIPolicyRule -Package $package -allow ``` -Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. +Since many system apps are packaged apps, it's recommended that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0fbd505f00..498ab02284 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -75,9 +75,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - wslconfig.exe - wslhost.exe -1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. +1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. -2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that is not being used in a development context, we recommend that you block msbuild.exe. +2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that isn't being used in a development context, we recommend that you block msbuild.exe. * Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: @@ -107,9 +107,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions. -Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. +Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. -For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. +For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules. Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files: @@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp + + + + --> diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 1d88193ede..7c16581109 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -36,11 +36,11 @@ The vulnerable driver blocklist is designed to help harden systems against third - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel - Malicious behaviors (malware) or certificates used to sign malware -- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel +- Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 611a90b62b..dfddeebe3f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -10,7 +10,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: dansimp -ms.date: 04/14/2021 +ms.date: 07/01/2022 ms.technology: windows-sec ms.topic: article ms.localizationpriority: medium @@ -25,19 +25,23 @@ ms.localizationpriority: medium - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic covers tips and tricks for admins as well as known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. +This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. + +## Managed Installer and ISG will cause garrulous events + +When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy. ## .NET native images may generate false positive block events -In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window. +In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window. ## MSI Installations launched directly from the internet are blocked by WDAC Installing .msi files directly from the internet to a computer protected by WDAC will fail. -For example, this command will not work: +For example, this command won't work: ```console msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 7e7c459ff7..6691993b1b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -37,11 +37,11 @@ The first step in implementing application control is to consider how your polic Most Windows Defender Application Control policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include: -1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files are not prevented from executing. +1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files aren't prevented from executing. 2. Deploy the audit mode policy to intended devices. 3. Monitor audit block events from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks. 4. Repeat steps 2-3 until the remaining block events meet expectations. -5. Generate the enforced mode version of the policy. In enforced mode, files that are not allowed by the policy are prevented from executing and corresponding block events are generated. +5. Generate the enforced mode version of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated. 6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. @@ -59,11 +59,11 @@ Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmd > PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10. > PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy. -In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0"). +In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (for example, "1.0.0.0"). ### Policy rule updates -As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates. +As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates. ## WDAC event management @@ -84,16 +84,16 @@ Considerations include: ### Help desk support -If your organization has an established help desk support department in place, consider the following when deploying Windows Defender Application Control policies: +If your organization has an established help desk support department in place, consider the following points when deploying Windows Defender Application Control policies: - What documentation does your support department require for new policy deployments? - What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? - Who are the contacts in the support department? -- How will the support department resolve application control issues between the end user and those who maintain the Windows Defender Application Control rules? +- How will the support department resolve application control issues between the end user and those resources who maintain the Windows Defender Application Control rules? ### End-user support -Because Windows Defender Application Control is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: +Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plan how to provide end-user support. Considerations include: - Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? @@ -102,6 +102,6 @@ Because Windows Defender Application Control is preventing unapproved apps from After deciding how your organization will manage your Windows Defender Application Control policy, record your findings. -- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the Windows Defender Application Control policy, if necessary. +- **End-user support policy.** Document the process that you'll use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the Windows Defender Application Control policy, if necessary. - **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis. -- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time. +- **Policy management.** Detail what policies are planned, how they'll be managed, and how rules will be maintained over time. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1b68313de8..0194121a74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -10,11 +10,11 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: dansimp -ms.reviewer: isbrahm +author: jgeurten +ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp -ms.date: 06/28/2022 +ms.date: 08/29/2022 ms.technology: windows-sec --- @@ -88,13 +88,13 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the | Rule level | Description | |----------- | ----------- | -| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | +| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. | -| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. | +| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. | | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. | | **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). | | **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | -| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. | +| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. | | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). | | **RootCertificate** | Currently unsupported. | | **WHQL** | Trusts binaries if they've been validated and signed by WHQL. This level is primarily for kernel binaries. | @@ -112,13 +112,16 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run. -To create the Windows Defender Application Control policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. Using the audit data, they update their WDAC policies to include any additional software they want to run. Then they enable the WDAC policy in enforced mode for their servers. +To create the Windows Defender Application Control policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. With the help of the audit data, they update their WDAC policies to include any other software they want to run. Then they enable the WDAC policy in enforced mode for their servers. As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these sets exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + +> [!NOTE] +> For others to better understand the WDAC policies that have been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. ## More information about filepath rules @@ -132,30 +135,30 @@ WDAC's list of well-known admin SIDs are: S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523. -When generating filepath rules using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch. +When filepath rules are being generated using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch. Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\*` would include `C:\foo\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path aren't supported (ex. `C:\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`). You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. +> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied. > [!NOTE] > There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules. ## More information about hashes -WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated. +WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated. -The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files. +The Authenticode/PE image hash can be calculated for digitally signed and unsigned files. ### Why does scan create four hash rules per XML file? The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash. -During validation CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash. +During validation, CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash. -In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. +In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. ### Why does scan create eight hash rules for certain XML files? diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 6ff71e34a5..287c4058d0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -29,27 +29,27 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described. +Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It's common for organizations to have device use cases across each of the categories described. ## Types of devices | **Type of device** | **How WDAC relates to this type of device** | |------------------------------------|------------------------------------------------------| | **Lightly managed devices**: Company-owned, but users are free to install software.
                                Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | -| **Fully managed devices**: Allowed software is restricted by IT department.
                                Users can request additional software, or install from a list of applications provided by IT department.
                                Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
                                WDAC policies are supported by the HVCI service. | -| **Fixed-workload devices**: Perform same tasks every day.
                                Lists of approved applications rarely change.
                                Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
                                After Windows Defender Application Control deployment, only approved applications can run. This is because of protections offered by WDAC. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | +| **Fully managed devices**: Allowed software is restricted by IT department.
                                Users can request for more software, or install from a list of applications provided by IT department.
                                Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves more applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
                                WDAC policies are supported by the HVCI service. | +| **Fixed-workload devices**: Perform same tasks every day.
                                Lists of approved applications rarely change.
                                Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
                                After Windows Defender Application Control deployment, only approved applications can run. This rule is because of protections offered by WDAC. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control doesn't apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | ## An introduction to Lamna Healthcare Company -In the next set of topics, we will explore each of the above scenarios using a fictional organization called Lamna Healthcare Company. +In the next set of topics, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company. Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Endpoint Manager to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response. -Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control. +Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized many new security IT responses, including tightening policies for application use and introducing application control. ## Up next -- [Create a Windows Defender Application Control policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) +- [Create a Windows Defender Application Control policy for lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 9729e7515d..406209261e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -44,15 +44,15 @@ You should consider using Windows Defender Application Control as part of your o ## Decide what policies to create -Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. +Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This concurrent application opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust," we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML. For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store. -Configuration Manager uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. +Configuration Manager uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This process establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. -The following questions can help you plan your Windows Defender Application Control deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order, and are not meant to be an exhaustive set of design considerations. +The following questions can help you plan your Windows Defender Application Control deployment and determine the right "circle-of-trust" for your policies. They aren't in priority or sequential order, and aren't meant to be an exhaustive set of design considerations. ## WDAC design considerations @@ -74,11 +74,11 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p | Possible answers | Design considerations | | - | - | | All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | -| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | +| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | ### Are there specific groups in your organization that need customized application control policies? -Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. +Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There's overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. | Possible answers | Design considerations | | - | - | @@ -91,12 +91,12 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.| +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as possible.| | No | Consider a focused and phased deployment for specific groups by using few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | ### Does your organization have Help Desk support? -Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. +Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow isn't hampered. | Possible answers | Design considerations | | - | - | diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index fcb3a32077..b84336abab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,6 +1,6 @@ --- title: Use code signing to simplify application control for classic Windows applications (Windows) -description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods. +description: With embedded signing, your WDAC policies typically don't have to be updated when an app is updated. To set up this embedded signing, you can choose from various methods. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -33,13 +33,13 @@ This topic covers guidelines for using code signing control classic Windows apps ## Reviewing your applications: application signing and catalog files -Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. +Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This purpose means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. -Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). +Catalog files can be useful for unsigned LOB applications that can't easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically don't have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). -To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods: +To obtain signed applications or embed signatures in your in-house applications, you can choose from various methods: -- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own. +- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll up to our certificate authority (CA) or to your own. - Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers. @@ -53,11 +53,11 @@ To use catalog signing, you can choose from the following options: ### Catalog files -Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application. +Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you don't want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application. -Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. +Catalog files are Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. -After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. +After you've created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. > [!NOTE] > Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, Windows 2016 Server, or Windows Enterprise IoT. @@ -66,8 +66,8 @@ For procedures for working with catalog files, see [Deploy catalog files to supp ## Windows Defender Application Control policy formats and signing -When you generate a Windows Defender Application Control policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. +When you generate a Windows Defender Application Control policy, you're generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command. -When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy. +When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add more protection against administrative users changing or removing the policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 1b87884a5e..07f86d0c75 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -11,10 +11,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 06/27/2022 +ms.date: 08/15/2022 ms.technology: windows-sec --- @@ -29,30 +29,33 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. +Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. -Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. +> [!WARNING] +> Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> +> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). +> - Use RSA SHA-256 only. ECDSA isn't supported. +> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. +> - Keys must be less than or equal to 4K key size +> + +Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. +If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. -Before PKCS #7-signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). +Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components: -- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) +- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) -- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created +- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created -- An internal CA code signing certificate or a purchased code signing certificate +- An internal CA code signing certificate or a purchased code signing certificate -> [!NOTE] -> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) -> ->Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. - - -If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: +If you don't have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, ensure you update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: @@ -64,12 +67,12 @@ If you do not have a code signing certificate, see [Optional: Create a code sign > [!NOTE] > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information. -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the user’s personal store on the computer where the signing happens. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. 4. Navigate to your desktop as the working directory: - + ```powershell cd $env:USERPROFILE\Desktop ``` @@ -104,11 +107,11 @@ If you do not have a code signing certificate, see [Optional: Create a code sign ```powershell sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin ``` - + > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. -9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). +9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md). > [!NOTE] -> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. +> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 869d7f489a..b3e830a04b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -29,7 +29,7 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -As of Windows 10, version 1703, you can use Windows Defender Application Control (WDAC) policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): +As of Windows 10, version 1703, you can use Windows Defender Application Control (WDAC) policies to control applications and also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): | Approach (as of Windows 10, version 1703) | Guideline | |---|---| @@ -38,7 +38,7 @@ As of Windows 10, version 1703, you can use Windows Defender Application Control To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section). -For example, to create a Windows Defender Application Control policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: +For example, to create a Windows Defender Application Control policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. In the second command, **+=** is used to add a second rule to the **$rule** variable: ```powershell $rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 19f39c1525..4256d0a041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Control and .NET Hardening (Windows) -description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. +title: Windows Defender Application Control and .NET (Windows) +description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,32 +11,46 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 09/23/2021 +ms.date: 08/10/2022 ms.technology: windows-sec --- -# Windows Defender Application Control and .NET hardening +# Windows Defender Application Control (WDAC) and .NET -Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. -Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. -Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. +.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it. -When the Dynamic Code Security option is enabled, Windows Defender Application Control policy is applied to libraries that .NET loads from external sources. -Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. +The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies. -Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. -Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. -Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. +In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events). -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that. +To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies: -To enable Dynamic Code Security, add the following option to the `` section of your policy: +1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature; +2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies; +3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control) for the native images + +## WDAC and .NET hardening + +Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls. +Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime. + +When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share. + +Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. + +Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries. +Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. +Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. + +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. + +To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: ```xml -``` \ No newline at end of file +``` diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 4e1abd6929..e430a2a554 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -30,31 +30,33 @@ ms.technology: windows-sec Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. -Beginning with Windows 10, version 1709, you can set an option to automatically allow applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services). +To reduce end-user friction and helpdesk calls, you can set Windows Defender Application Control (WDAC) to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services). -## How does the integration between WDAC and the Intelligent Security Graph work? +> [!WARNING] +> Binaries that are critical to boot the system must be allowed using explicit rules in your WDAC policy. Do not rely on the ISG to authorize these files. +> +> The ISG option is not the recommended way to allow apps that are business critical. You should always authorize business critical apps using explicit allow rules or by installing them with a [managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer). -The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with Windows Defender Application Control (WDAC) enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. +## How does WDAC work with the ISG? -If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. +The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change. -If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. +WDAC only checks the ISG for binaries that aren't explicitly allowed or denied by your policy, and that weren't installed by a managed installer. When such a binary runs on a system with WDAC enabled with the ISG option, WDAC will check the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC. -WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option. +If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. Files authorized based on the installer's reputation will have the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) written to the file. ->[!NOTE] ->Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune can be used to create and push a WDAC policy to your client machines. +WDAC periodically requeries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option. -## Configuring Intelligent Security Graph authorization for Windows Defender Application Control +## Configuring ISG authorization for your WDAC policy -Setting up the ISG is easy using any management solution you wish. Configuring the Microsoft Intelligent Security Graph option involves these basic steps: +Setting up the ISG is easy using any management solution you wish. Configuring the ISG option involves these basic steps: -- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) -- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) +- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-isg-option-is-set-in-the-wdac-policy-xml) +- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) -### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML +### Ensure that the ISG option is set in the WDAC policy XML -To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the Windows Defender Application Control policy. This step can be done with the Set-RuleOption cmdlet. You should also enable the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option is not recommended for devices that don't have regular access to the internet. The following example shows both options being set. +To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set. ```xml @@ -84,50 +86,29 @@ To allow apps and binaries based on the Microsoft Intelligent Security Graph, th ### Enable the necessary services to allow WDAC to use the ISG correctly on the client -In order for the heuristics used by the ISG to function properly, a number of components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`. +In order for the heuristics used by the ISG to function properly, other components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`. ```console appidtel start ``` -This step isn't required for Windows Defender Application Control policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration. +This step isn't required for WDAC policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration. -## Security considerations with the Intelligent Security Graph +## Security considerations with the ISG option -Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used. +Since the ISG is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used. -Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. Also, since the ISG option passes along reputation from application installers to the binaries they write to disk, it can over-authorize files in some cases where the installer launches the application upon completion. +Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. -## Using fsutil to query SmartLocker EA -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events. +Also, since the ISG option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed. -#### Example +## Known limitations with using the ISG -```console -fsutil file queryEA C:\Users\Temp\Downloads\application.exe +Since the ISG only allows binaries that are "known good", there are cases where the ISG may be unable to predict whether legitimate software is safe to run. If that happens, the software will be blocked by WDAC. In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom. -Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe: - -Ea Buffer Offset: 410 -Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM -Ea Value Length: 7e -0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ -0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. * -0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\...... -0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:. -0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T. -0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n... -0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l. -0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e -``` - -## Known limitations with using the Intelligent Security Graph - -Since the ISG only allows binaries that are known good, there are cases where legitimate software may be unknown to the ISG and will be blocked by Windows Defender Application Control (WDAC). In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, as well as self-updating applications, may exhibit this symptom. - -Packaged apps are not supported with the Microsoft Intelligent Security Graph heuristics and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it is straightforward to authorize these apps with your WDAC policy. +Packaged apps aren't supported with the ISG and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to [authorize packaged apps](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) with your WDAC policy. The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. ->[!NOTE] -> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). +> [!NOTE] +> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 6737ed1fd8..696ab59fea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -45,19 +45,19 @@ Windows Defender Application Control policies apply to the managed computer as a - The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary -Note that prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard." +Prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard." ### WDAC System Requirements Windows Defender Application Control (WDAC) policies can be created on any client edition of Windows 10 build 1903+, or Windows 11, or on Windows Server 2016 and above. -WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 and Windows 11 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 and Windows 11 Enterprise edition, or Windows Server 2016 and above, but can't deploy policies to devices running non-Enterprise SKUs of Windows 10. For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). ## AppLocker -AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but does not meet the servicing criteria for being a security feature. +AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but doesn't meet the servicing criteria for being a security feature. AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on: @@ -72,13 +72,13 @@ AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker -Generally, it is recommended that customers, who are able to implement application control using Windows Defender Application Control rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. +Generally, it's recommended that customers, who are able to implement application control using Windows Defender Application Control rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. - You need to apply different policies for different users or groups on shared computers. -- You do not want to enforce application control on application files such as DLLs or drivers. +- You don't want to enforce application control on application files such as DLLs or drivers. -AppLocker can also be deployed as a complement to Windows Defender Application Control (WDAC) to add user or group-specific rules for shared device scenarios, where it is important to prevent some users from running specific apps. +AppLocker can also be deployed as a complement to Windows Defender Application Control (WDAC) to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 9d8ec5a0c7..e1353dfcf7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -30,12 +30,12 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. +When creating policies for use with Windows Defender Application Control (WDAC), it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. ## Template Base Policies -Each of the template policies has a unique set of policy allow list rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. +Each of the template policies has a unique set of policy allowlist rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. | Template Base Policy | Description | @@ -64,11 +64,11 @@ A description of each policy rule, beginning with the left-most column, is provi |------------ | ----------- | | **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all Windows Defender Application Control policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | -| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | +| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 isn't supported and may have unintended results. | |**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.| | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). | | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | -| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows–compatible driver must be WHQL certified. | +| **Require WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Henceforth, every new Windows–compatible driver must be WHQL certified. | | **Update Policy without Rebooting** | Use this option to allow future Windows Defender Application Control policy updates to apply without requiring a system reboot. | | **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | | **User Mode Code Integrity** | Windows Defender Application Control policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | @@ -83,7 +83,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru | Rule option | Description | |------------ | ----------- | | **Boot Audit on Failure** | Used when the Windows Defender Application Control (WDAC) policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | -| **Disable Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. | +| **Disable Flight Signing** | If enabled, WDAC policies won't trust flightroot-signed binaries. This option would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. | | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that's only writable by an administrator) for any FileRule that allows a file based on FilePath. | | **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). | | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| @@ -104,17 +104,17 @@ The Publisher file rule type uses properties in the code signing certificate cha | Rule Condition | WDAC Rule Level | Description | |------------ | ----------- | ----------- | -| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. | -| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver corp, is affected. | +| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. | +| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example, a device driver corp, is affected. | | **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. | -| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | +| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | ![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules -Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button. +Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button. ### File Attribute Rules @@ -132,11 +132,11 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c ### File Hash Rules -Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product version's hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level. +Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product version's hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level. #### Deleting Signing Rules -The policy signing rules list table on the left of the page will document the allow and deny rules in the template, as well as any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table. +The policy signing rules list table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. You'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table. ## Up next diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index 67405ee59b..65a4c8ef77 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -30,7 +30,7 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. +Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are being used, applications allowed by the base or its supplemental policy/policies will be allowed to execute. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules. @@ -40,17 +40,17 @@ Once the Supplemental Policy type is chosen on the New Policy page, policy name ![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png) -If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. +If the base policy isn't configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. ![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png) -Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). +Policies that can't be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). ![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png) ## Configuring Policy Rules -Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and will not be modifiable in the user interface. +Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and won't be modifiable in the user interface. A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title. @@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | Rule Condition | WDAC Rule Level | Description | |------------ | ----------- | ----------- | | **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. | -| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver publisher, is affected. | +| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example, a device driver publisher, is affected. | | **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. | | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | @@ -87,7 +87,7 @@ The Publisher file rule type uses properties in the code signing certificate cha ### Filepath Rules -Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button. +Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button. ### File Attribute Rules @@ -105,12 +105,12 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c ### File Hash Rules -Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level. +Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level. #### Deleting Signing Rules -The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table. +The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table. ## Up next diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index e74fded92b..5a109b3b15 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -39,7 +39,7 @@ The Windows Defender Application Control Wizard makes editing and viewing WDAC p ## Configuring Policy Rules -The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). +The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains other policy rule options that are less common to most users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). ![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png) @@ -47,7 +47,7 @@ A description of the policy rule is shown at the bottom of the page when the cur ## Adding File Rules -The Windows Defender Application Control Wizard allows users to add rules to their existing policy seamlessly. Previously, this would have involved creating a new policy with the new rules and merging it with the existing policy. +The Windows Defender Application Control Wizard allows users to add rules to their existing policy seamlessly. Previously, this rule-adding task would have involved creating a new policy with the new rules and merging it with the existing policy. Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules). diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md index 5110ed45a0..172bcc1cf7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md @@ -21,7 +21,7 @@ ms.technology: windows-sec # Merging existing policies with the WDAC Wizard -Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC)supports multiple policies. Before version 1903, however, Windows 10 could only have one WDAC policy. Consequently, users were required to merge multiple WDAC policies into one. The WDAC Wizard has a simple to use user interface to allow users to merge multiple WDAC policies. The Wizard can support up to 15 policy files as input during the merge workflow. +Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports multiple policies. Before version 1903, however, Windows 10 could only have one WDAC policy. So, users were required to merge multiple WDAC policies into one. The WDAC Wizard has a simple to use user interface to allow users to merge multiple WDAC policies. The Wizard can support up to 15 policy files as input during the merge workflow. Select the policies you wish to merge into one policy using the `+ Add Policy` button under the table. Once added, policies will be enumerated within the table. To remove a policy from the table, if accidentally added, highlight the policy row and select the `- Remove Policy` button. Confirmation will be required before the policy is withdrawn from the table. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index d87ee2f357..e993bb919d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -1,21 +1,16 @@ --- -title: Deploying Windows Defender Application Control (WDAC) policies (Windows) +title: Deploying Windows Defender Application Control (WDAC) policies description: Learn how to plan and implement a WDAC deployment. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: dansimp -manager: dansimp -ms.date: 05/16/2018 ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: aaroncz +ms.author: jogeurte +manager: jsuther +ms.date: 06/27/2022 +ms.topic: overview --- # Deploying Windows Defender Application Control (WDAC) policies @@ -33,7 +28,7 @@ You should now have one or more Windows Defender Application Control (WDAC) poli ## Plan your deployment -As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you will manage with Windows Defender Application Control and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. +As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you'll manage with Windows Defender Application Control and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints. @@ -41,7 +36,7 @@ All Windows Defender Application Control policy changes should be deployed in au There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: -1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune -2. [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md) -3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md) -4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) +- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune +- [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md) +- [Deploy via script](deployment/deploy-wdac-policies-with-script.md) +- [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 9ae7311920..05fbd4e9b6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -30,18 +30,18 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. +This guide covers design and planning for Windows Defender Application Control (WDAC). It's intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. ## Plan for success -A common refrain you may hear about application control is that it is "too hard." While it is true that application control is not as simple as flipping a switch, organizations can be successful, if they're methodical when carefully planning their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning: +A common refrain you may hear about application control is that it is "too hard." While it's true that application control isn't as simple as flipping a switch, organizations can be successful, if they're methodical when carefully planning their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning: - Executive sponsorship and organizational buy-in is in place. -- There is a clear **business** objective for using application control, and it is not being planned as a purely technical problem from IT. +- There's a clear **business** objective for using application control, and it's not being planned as a purely technical problem from IT. - The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps. - The organization has considered where application control can be most useful (for example, securing sensitive workloads or business functions) and also where it may be difficult to achieve (for example, developer workstations). -Once these business factors are in place, you are ready to begin planning your Windows Defender Application Control (WDAC) deployment. The following topics can help guide you through your planning process. +Once these business factors are in place, you're ready to begin planning your Windows Defender Application Control (WDAC) deployment. The following topics can help guide you through your planning process. ## In this section diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 3341806d89..9a160774c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -29,11 +29,11 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. +After enabling you understand how to design and deploy your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. ## WDAC Events Overview -Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. +Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC doesn't generate events when a binary is allowed; however, there's the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. WDAC events are generated under two locations: diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 5e8737ae67..a552764722 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -36,7 +36,7 @@ In most organizations, information is the most valuable asset, and ensuring that Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). -Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). +Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). > [!NOTE] > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index d9747dc21d..e3814dc5d2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -28,11 +28,11 @@ The **App and browser control** section contains information and settings for Wi In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). -You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can also choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Prevent users from making changes to the Exploit protection area in the App & browser control section -You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately. +You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those settings for Windows Defender SmartScreen, unless those options have been configured separately. You can only prevent users from modifying Exploit protection settings by using Group Policy. @@ -51,9 +51,9 @@ You can only prevent users from modifying Exploit protection settings by using G ## Hide the App & browser control section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +This section can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 3672d5c25a..a4136a591a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -25,19 +25,19 @@ ms.technology: windows-sec - Windows 11 -The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). +The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues. -In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Device performance & health section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +This section can be hidden only by using Group Policy. >[!IMPORTANT] >### Requirements @@ -46,7 +46,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Device performance and health**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index 4a34381192..66b2b79227 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -25,18 +25,18 @@ ms.technology: windows-sec The **Device security** section contains information and settings for built-in device security. -You can choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Device security section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only. > [!IMPORTANT] > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**. +2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. @@ -57,7 +57,7 @@ If you don't want users to be able to click the **Clear TPM** button in the Wind 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**. +2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. @@ -70,7 +70,7 @@ If you don't want users to see the recommendation to update TPM firmware, you ca 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**. +2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index a9e4a148c5..8f9528db75 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -1,6 +1,6 @@ --- title: Family options in the Windows Security app -description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options are not intended for business environments. +description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments. keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time search.product: eADQiWindows 10XVcnh ms.prod: m365-security @@ -24,18 +24,18 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments. +The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments. Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender) -In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to this section. +In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section. ## Hide the Family options section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +This section can be hidden only by using Group Policy. >[!IMPORTANT] >### Requirements @@ -44,7 +44,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Family options**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 924bcd1150..b0d7e2beea 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -30,9 +30,9 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t ## Hide the Firewall & network protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +This section can be hidden only by using Group Policy. >[!IMPORTANT] >### Requirements @@ -41,7 +41,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 4b010e206c..c684f86a90 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -23,7 +23,7 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. +The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization. @@ -40,9 +40,9 @@ You can only use Group Policy to change these settings. ## Use Group Policy to hide non-critical notifications -You can hide notifications that describe regular events related to the health and security of the machine. These are notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you find they are too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting). +You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting). -This can only be done in Group Policy. +These notifications can be hidden only by using Group Policy. >[!IMPORTANT] > @@ -52,9 +52,9 @@ This can only be done in Group Policy. 2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications** +5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications** 6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**. @@ -63,9 +63,9 @@ This can only be done in Group Policy. ## Use Group Policy to hide all notifications -You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input. +You can hide all notifications that are sourced from the Windows Security app. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input. -This can only be done in Group Policy. +These notifications can be hidden only by using Group Policy. >[!IMPORTANT] > @@ -73,9 +73,9 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**. +5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**. > [!NOTE] > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**. @@ -104,16 +104,16 @@ This can only be done in Group Policy. | HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification| | Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification| | Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification| -| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification| -| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification| -| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification| +| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification| +| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification| +| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification| | Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification| | OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification| | OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification| | Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification| | Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification| -| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification| -| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification| +| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus didn't find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification| +| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus didn't find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification| | Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification| | Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification| | Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification| @@ -122,7 +122,7 @@ This can only be done in Group Policy. | Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification| | Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification| | Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |Firewall and network protection notification| -| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification| +| Ransomware specific detection | Microsoft Defender Antivirus has detected threats, which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification| | ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |Firewall and network protection notification| | ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification| | CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |Firewall and network protection notification| diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 2d43e965ba..cade645c59 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -24,7 +24,7 @@ ms.technology: windows-sec The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. -In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in case of a ransomware attack. +In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack. IT administrators and IT pros can get more configuration information from these articles: @@ -35,14 +35,14 @@ IT administrators and IT pros can get more configuration information from these - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) - [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) -You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features. +You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features. ## Hide the Virus & threat protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +This section can be hidden only by using Group Policy. >[!IMPORTANT] >### Requirements @@ -51,7 +51,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**. @@ -66,9 +66,9 @@ This can only be done in Group Policy. ## Hide the Ransomware protection area -You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Security app. +You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app. -This can only be done in Group Policy. +This area can be hidden only by using Group Policy. >[!IMPORTANT] >### Requirements @@ -77,7 +77,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**. diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 40b96ae917..218c4f941f 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -1,11 +1,8 @@ --- title: The Windows Security app -description: The Windows Security app brings together common Windows security features into one place -keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows +description: The Windows Security app brings together common Windows security features into one place. search.product: eADQiWindows 10XVcnh ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library ms.localizationpriority: medium author: dansimp ms.author: dansimp @@ -35,15 +32,15 @@ In Windows 10, version 1803, the app has two new areas: **Account protection** a ![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png) > [!NOTE] -> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/). -You can't uninstall the Windows Security app, but you can do one of the following: +You can't uninstall the Windows Security app, but you can do one of the following actions: -- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server). -- Hide all of the sections on client computers (see below). -- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Microsoft Defender AV always-on protection and monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus). +- Disable the interface on Windows Server 2016. +- Hide all of the sections on client computers. +- Disable Microsoft Defender Antivirus, if needed. For more information, see [Enable and configure Microsoft Defender Antivirus always-on protection in group policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus). -You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: +For more information about each section, options for configuring the sections, and how to hide each of them, see the following articles: - [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive. - [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. @@ -51,16 +48,16 @@ You can find more information about each section, including options for configur - [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations. - [Device security](wdsc-device-security.md), which provides access to built-in device security settings. - [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues. -- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online. +- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online. > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) +> ![Windows Security app with all sections hidden by group policy.](images/wdsc-all-hide.png) ## Open the Windows Security app -- Click the icon in the notification area on the taskbar. +- Select the icon in the notification area on the taskbar. ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png) - Search the Start menu for **Windows Security**. @@ -71,23 +68,23 @@ You can find more information about each section, including options for configur ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png) > [!NOTE] -> Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. +> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. ## How the Windows Security app works with Windows security features > [!IMPORTANT] > Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes. > -> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service ([*wscsvc*](/previous-versions/windows/it-pro/windows-xp/bb457154(v=technet.10)#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. +> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. > ->These services do not affect the state of Microsoft Defender Antivirus. Disabling or modifying these services will not disable Microsoft Defender Antivirus, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. +> These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services won't disable Microsoft Defender Antivirus. It will lead to a lowered protection state on the endpoint, even if you're using a third-party antivirus product. > ->Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). +> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). > -> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md). +> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md). > [!WARNING] -> If you disable the Windows Security Center Service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. > > It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. > @@ -97,9 +94,9 @@ The Windows Security app operates as a separate app or process from each of the It acts as a collector or single place to see the status and perform some configuration for each of the features. -Disabling any of the individual features (through Group Policy or other management tools, such as Microsoft Endpoint Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features. +If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Endpoint Configuration Manager. The Windows Security app itself will still run and show status for the other security features. > [!IMPORTANT] -> Individually disabling any of the services will not disable the other services or the Windows Security app. +> If you individually disable any of the services, it won't disable the other services or the Windows Security app. For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 0ffe9699ca..b663f72d19 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -2,38 +2,40 @@ title: Add Production Devices to the Membership Group for a Zone (Windows) description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Add Production Devices to the Membership Group for a Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. **Caution**   -For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode. +For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode. -The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). +The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you. @@ -67,7 +69,7 @@ After a computer is a member of the group, you can force a Group Policy refresh ## To refresh Group Policy on a device -From an elevated command prompt, type the following: +From an elevated command prompt, type the following command: ``` syntax gpupdate /target:computer /force @@ -77,7 +79,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to ## To see which GPOs are applied to a device -From an elevated command prompt, type the following: +From an elevated command prompt, type the following command: ``` syntax gpresult /r /scope:computer diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index e3a45c598a..9f5d3bac7c 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -2,32 +2,34 @@ title: Add Test Devices to the Membership Group for a Zone (Windows) description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Add Test Devices to the Membership Group for a Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. +Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device. -Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive. +Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it's supposed to receive. **Administrative credentials** @@ -53,7 +55,7 @@ In this topic: 5. Type the name of the device in the text box, and then click **OK**. -6. Repeat steps 5 and 6 for each additional device account or group that you want to add. +6. Repeat steps 5 and 6 for each extra device account or group that you want to add. 7. Click **OK** to close the group properties dialog box. @@ -61,7 +63,7 @@ After a device is a member of the group, you can force a Group Policy refresh on ## To refresh Group Policy on a device -From a elevated command prompt, run the following: +From an elevated command prompt, run the following command: ``` syntax gpupdate /target:device /force @@ -71,7 +73,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to ## To see which GPOs are applied to a device -From an elevated command prompt, run the following: +From an elevated command prompt, run the following command: ``` syntax gpresult /r /scope:computer diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 1a7d5dd07e..180ebf61e7 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -2,28 +2,30 @@ title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows) description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Appendix A: Sample GPO Template Files for Settings Used in this Guide -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 221490f2e9..88a28959fc 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -2,28 +2,30 @@ title: Assign Security Group Filters to the GPO (Windows) description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Assign Security Group Filters to the GPO -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 2523d0ce01..68b7ae50a0 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -2,35 +2,37 @@ title: Basic Firewall Policy Design (Windows) description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Basic Firewall Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. +Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization. -The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped. +The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that doesn't match the rules is dropped. Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted. -Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: +Many network administrators don't want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs don't require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: - On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device. @@ -42,7 +44,7 @@ Many network administrators do not want to tackle the difficult task of determin For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. -With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. +With a few exceptions, the firewall can be enabled on all configurations. Therefore, we recommend that you enable the firewall on every device in your organization. The term "device" includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. > [!CAUTION] > Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft. @@ -51,11 +53,11 @@ By default, in new installations, Windows Defender Firewall with Advanced Securi If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. -Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.  +Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.  An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation. -After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization. +After implementing this design, you'll have centralized management of the firewall rules applied to all devices that are running Windows in your organization. > [!IMPORTANT] > If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 20bc578f08..db778a73a8 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -6,14 +6,20 @@ ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: maccruz -author: schmurky +ms.author: paoloma +author: paolomatarazzo ms.localizationpriority: medium -manager: dansimp +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: article ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Best practices for configuring Windows Defender Firewall @@ -43,7 +49,7 @@ When you open the Windows Defender Firewall for the first time, you can see the *Figure 1: Windows Defender Firewall* -1. **Domain profile**: Used for networks where there is a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC +1. **Domain profile**: Used for networks where there's a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC 2. **Private profile**: Designed for and best used in private networks such as a home network @@ -69,7 +75,7 @@ For more on configuring basic firewall settings, see [Turn on Windows Firewall a In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic. -This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: +This rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: ![Rule creation wizard.](images/fw02-createrule.png) @@ -89,11 +95,11 @@ allowing these inbound exceptions. 2. Explicit block rules will take precedence over any conflicting allow rules. -3. More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) +3. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) -Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. +Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. -A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. +A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. > [!NOTE] > Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. @@ -102,13 +108,13 @@ A general security best practice when creating inbound rules is to be as specifi ### Inbound allow rules -When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule. +When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Defender Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule. -If there are no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network. +If there's no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network. -- If the user has admin permissions, they will be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic. +- If the user has admin permissions, they'll be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic. -- If the user is not a local admin, they will not be prompted. In most cases, block rules will be created. +- If the user isn't a local admin, they won't be prompted. In most cases, block rules will be created. In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked. @@ -118,11 +124,11 @@ In either of the scenarios above, once these rules are added they must be delete ### Known issues with automatic rule creation -When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. +When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. -The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues. +The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues. -To determine why some applications are blocked from communicating in the network, check for the following: +To determine why some applications are blocked from communicating in the network, check for the following instances: 1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. @@ -148,7 +154,7 @@ Firewall rules can be deployed: Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. -The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy. +The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy. ![Customize settings.](images/fw05-rulemerge.png) @@ -160,12 +166,12 @@ equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under e If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity. -Admins may disable *LocalPolicyMerge* in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device +Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments). [Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging. -As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. +As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes. @@ -177,7 +183,7 @@ supported in application rules. We currently only support rules created using th ## Know how to use "shields up" mode for active attacks -An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It is an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. +An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. Shields up can be achieved by checking **Block all incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*. @@ -190,9 +196,9 @@ incoming connections, including those in the list of allowed apps** setting foun *Figure 7: Legacy firewall.cpl* -By default, the Windows Defender Firewall will block everything unless there is an exception rule created. This setting overrides the exceptions. +By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions. -For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access will not work as long as shields up is activated. +For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated. Once the emergency is over, uncheck the setting to restore regular network traffic. @@ -203,7 +209,7 @@ What follows are a few general guidelines for configuring outbound rules. - The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default. -- It is recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use. +- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use. - In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments). diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index e867dc86b4..77da6ba1be 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -2,36 +2,38 @@ title: Boundary Zone GPOs (Windows) description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Boundary Zone GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. >**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. -This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. +This recommendation means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. -The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. +The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices aren't expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed. diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 11c757ec1c..d8077459ac 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -2,28 +2,30 @@ title: Boundary Zone (Windows) description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Boundary Zone - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above + In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. @@ -31,20 +33,20 @@ Devices in the boundary zone are trusted devices that can accept communication r The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it. -These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. +These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the extra risk. The following illustration shows a sample process that can help make such a decision. ![design flowchart.](images/wfas-designflowchart1.gif) -The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. +The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk can't be mitigated, membership must be denied. -You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. +You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group. ## GPO settings for boundary zone servers running at least Windows Server 2008 -The boundary zone GPO for devices running at least Windows Server 2008 should include the following: +The boundary zone GPO for devices running at least Windows Server 2008 should include the following components: - IPsec default settings that specify the following options: diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 2904f65cb4..02c88fdfb7 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -2,38 +2,40 @@ title: Certificate-based Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate-based Isolation Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). -One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information. +One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it's considered unsolicited inbound traffic to the devices that receive this information. ## Design requirements -One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate. +One possible solution to this design example is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it can't authenticate. -A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed. +A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it can't join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically protected documents, encrypted in such a way that their origin can be positively confirmed. In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server. @@ -51,11 +53,11 @@ The non-Windows device can be effectively made a member of the boundary zone or Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization. -The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules. +The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules. -When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. +When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. -By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. +With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index f134b8f1db..c21f3ae251 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -2,38 +2,40 @@ title: Certificate-based Isolation Policy Design (Windows) description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate-based isolation policy design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. -Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol. +Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices can't join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows can't join a domain for various reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol. -To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows. +To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that don't run Windows. The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain. -For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. +For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but aren't part of the Active Directory domain. For other devices, you'll have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. For more info about this design: diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index fe2aeb49e8..effdd2a70c 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -2,30 +2,32 @@ title: Change Rules from Request to Require Mode (Windows) description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Change Rules from Request to Require Mode -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. +After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain. **Administrative credentials** diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index 18558ef571..d3356b14f3 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -2,28 +2,30 @@ title: Checklist Configuring Basic Firewall Settings (Windows) description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Basic Firewall Settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 296c1e7556..176d8f4536 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -2,52 +2,54 @@ title: Checklist Configuring Rules for an Isolated Server Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for an Isolated Server Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). -In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. +In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they're enforced at the application layer, rather than the IP layer. Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. -The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server. +The GPOs for an isolated server or group of servers are similar to those GPOs for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules and restrictions that allow only members of the NAG to connect to the server. **Checklist: Configuring rules for isolated servers** | Task | Reference | | - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
                                Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
                                Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| | Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Create a rule that requests authentication for all network traffic.
                                **Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create a rule that requests authentication for all network traffic.
                                **Important:** As in an isolated domain, don't set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| | Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | -Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. +Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 4c9332aa61..e546b37adf 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -2,49 +2,51 @@ title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). -The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. +The GPOs for isolated servers are similar to those GPOs for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. **Checklist: Configuring rules for isolated servers** | Task | Reference | | - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
                                [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
                                [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | -| Create a rule that requests authentication for all inbound network traffic.

                                **Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create a rule that requests authentication for all inbound network traffic.

                                **Important:** As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| | Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | -| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. +Don't change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index 4fa942aac8..55e7e19754 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -2,41 +2,43 @@ title: Checklist Configuring Rules for the Boundary Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for the Boundary Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. -Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. +Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. **Checklist: Configuring boundary zone rules** -This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. +This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs. | Task | Reference | | - | - | -| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | -| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy isn't changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | +| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| | Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index f543b9606f..5d0a18a69f 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -2,41 +2,43 @@ title: Checklist Configuring Rules for the Encryption Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for the Encryption Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. -Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. +Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. **Checklist: Configuring encryption zone rules** -This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. +This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. | Task | Reference | | - | - | | Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Modify the group memberships and WMI filters so that they're correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index e5e7186579..648850a336 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -2,28 +2,30 @@ title: Checklist Configuring Rules for the Isolated Domain (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for the Isolated Domain -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. @@ -31,8 +33,8 @@ The following checklists include tasks for configuring connection security rules | Task | Reference | | - | - | -| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
                                [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
                                [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| @@ -44,4 +46,4 @@ The following checklists include tasks for configuring connection security rules | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| -Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. +Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index 1796cc336e..6168d455d3 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -2,30 +2,32 @@ title: Checklist Creating Group Policy Objects (Windows) description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Group Policy Objects -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group. The checklists for firewall, domain isolation, and server isolation include a link to this checklist. @@ -35,19 +37,19 @@ For most GPO deployment tasks, you must determine which devices must receive and ## About exclusion groups -A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. +A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that can't or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it's easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. -You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. +You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. **Checklist: Creating Group Policy objects** | Task | Reference | | - | - | | Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                                [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| -| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
                                If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
                                If some devices in the membership group are running an operating system that doesn't support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that can't be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | -| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| If you're working on a GPO that was copied from another, modify the group memberships and WMI filters so that they're correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | | Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index cb5f132795..57a25a4b6c 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -2,28 +2,30 @@ title: Checklist Creating Inbound Firewall Rules (Windows) description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Inbound Firewall Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index cc6976169c..879c1a55b6 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -2,28 +2,30 @@ title: Checklist Creating Outbound Firewall Rules (Windows) description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Outbound Firewall Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for creating outbound firewall rules in your GPOs. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 62905bf49e..9094725eda 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -2,28 +2,30 @@ title: Create Rules for Standalone Isolated Server Zone Clients (Windows) description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. @@ -31,13 +33,13 @@ This checklist includes tasks for configuring connection security rules and IPse | Task | Reference | | - | - | -| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
                                [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
                                [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index c9c577bc2e..6a5f00771e 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Basic Firewall Policy Design (Windows) description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Basic Firewall Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index a1183f3f52..ce48d49c77 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows) description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Certificate-based Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. @@ -35,7 +37,7 @@ This parent checklist includes cross-reference links to important concepts about | Task | Reference | | - | - | | Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                                [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
                                [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
                                [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | -| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| | +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| | | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| | On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 6a6f01d952..6061bc86b5 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Domain Isolation Policy Design (Windows) description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Domain Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 3090ba97d5..87364021d1 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -1,31 +1,33 @@ --- title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) -description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists. +description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Standalone Server Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). +This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index 7522322a6f..7f45ce6466 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -2,28 +2,30 @@ title: Configure Authentication Methods (Windows) description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Authentication Methods -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. @@ -49,29 +51,29 @@ To complete these procedures, you must be a member of the Domain Administrators 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. + 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - The first authentication method can be one of the following: + The first authentication method can be one of the following methods: - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. - - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes. + - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method isn't recommended, and is included only for backward compatibility and testing purposes. If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - The second authentication method can be one of the following: + The second authentication method can be one of the following methods: - - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 99a5795add..f839c60899 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -2,28 +2,30 @@ title: Configure Data Protection (Quick Mode) Settings (Windows) description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Data Protection (Quick Mode) Settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index ef75edf628..feb3b8e3a2 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -2,28 +2,30 @@ title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows) description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Group Policy to Autoenroll and Deploy Certificates -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index 6e18c1001c..dd062985fe 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -2,28 +2,30 @@ title: Configure Key Exchange (Main Mode) Settings (Windows) description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Key Exchange (Main Mode) Settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. @@ -41,23 +43,23 @@ To complete these procedures, you must be a member of the Domain Administrators 4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**. -5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following: +5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list aren't what you want, then do the following steps: **Important**   - In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. + In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This rule means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. - Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. + Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method is used in the negotiation. Ensure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. **Note**   - When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select. + When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This event happens no matter which Diffie-Hellman key exchange protocol you select. - 1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**. + 1. Remove any of the security methods that you don't want by selecting the method and then clicking **Remove**. 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**. >**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. - 3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. + 3. After the list contains only the combinations you want, use the "up" and "down" arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. 6. From the list on the right, select the key exchange algorithm that you want to use. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index c7c3f8fafc..2a9fedfb36 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -1,26 +1,32 @@ --- title: Configure the Rules to Require Encryption (Windows) -description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption. +description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption. ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure the Rules to Require Encryption -If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption. +If you're creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that don't use encryption. **Administrative credentials** @@ -46,9 +52,9 @@ To complete this procedure, you must be a member of the Domain Administrators gr 9. Click **Require encryption for all connection security rules that use these settings**. - This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone. + This setting disables the data integrity rules section. Ensure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone won't be able to connect to devices in this zone. -10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). +10. If you need to add an algorithm combination, click **Add** and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). **Note**   Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. @@ -57,6 +63,6 @@ To complete this procedure, you must be a member of the Domain Administrators gr For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) -11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. +11. During negotiation, algorithm combinations are proposed in the order shown in the list. Ensure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. 12. Click **OK** three times to save your changes. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index c7d71a4f26..acae2a5eb6 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -2,28 +2,30 @@ title: Configure the Windows Defender Firewall Log (Windows) description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC. ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure the Windows Defender Firewall with Advanced Security Log -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in. @@ -43,11 +45,11 @@ To complete these procedures, you must be a member of the Domain Administrators 2. Under **Logging**, click **Customize**. - 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. + 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. >**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file. - 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. + 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. 5. No logging occurs until you set one of following two options: @@ -58,4 +60,4 @@ To complete these procedures, you must be a member of the Domain Administrators 6. Click **OK** twice. ### Troubleshooting Slow Log Ingestion -If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this will result in more resource usage due to the increased resource usage for log rotation. +If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index f0c5bb8bdf..7f4b8057f3 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -2,25 +2,27 @@ title: Configure the Workstation Authentication Template (Windows) description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 -ms.reviewer: -manager: dansimp -ms.author: dansimp +ms.reviewer: jekrynit +manager: aaroncz +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +author: paolomatarazzo ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure the Workstation Authentication Certificate Template -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. @@ -52,4 +54,4 @@ To complete these procedures, you must be a member of both the Domain Admins gro 10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. -11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**. +11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you configured, and then click **OK**. diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 9a23ea1f28..81905439d5 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -1,35 +1,37 @@ --- title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) -description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked +description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. >**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. -We recommend that you do not enable these settings until you have created and tested the required rules. +We recommend that you don't enable these settings until you've created and tested the required rules. **Administrative credentials** @@ -51,6 +53,6 @@ To complete these procedures, you must be a member of the Domain Administrators 4. Under **Rule merging**, change **Apply local firewall rules** to **No**. - 5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. + 5. Although a connection security rule isn't a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you're planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. 6. Click **OK** twice. diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 45aac5c3bd..e23f800b1e 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -2,28 +2,30 @@ title: Confirm That Certificates Are Deployed Correctly (Windows) description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: securit ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Confirm That Certificates Are Deployed Correctly -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 16fa98ba4f..603fb772d6 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -2,28 +2,30 @@ title: Copy a GPO to Create a New GPO (Windows) description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Copy a GPO to Create a New GPO -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. @@ -49,7 +51,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 8. Type the new name, and then press ENTER. -9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. +9. You must change the security filters to apply the policy to the correct group of devices. To change the security filters, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. 10. In the confirmation dialog box, click **OK**. @@ -57,4 +59,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If necessary, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index 7f5899e2f5..f3f7a3bb1b 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -2,28 +2,30 @@ title: Create a Group Account in Active Directory (Windows) description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create a Group Account in Active Directory -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index c1f6da0c2a..8926c70552 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -2,28 +2,30 @@ title: Create a Group Policy Object (Windows) description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create a Group Policy Object -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index 513807383f..a2ad8d6f6c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -2,28 +2,30 @@ title: Create an Authentication Exemption List Rule (Windows) description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Authentication Exemption List Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 037a451dee..99d3d07f46 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -2,20 +2,26 @@ title: Create an Authentication Request Rule (Windows) description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Authentication Request Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index da5b7f7f20..76b063f72d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -2,28 +2,30 @@ title: Create an Inbound ICMP Rule (Windows) description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Inbound ICMP Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 93586077a2..56a7c6808c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -2,28 +2,30 @@ title: Create an Inbound Port Rule (Windows) description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Inbound Port Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index bb976db9c3..1d6f3352d0 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -2,28 +2,30 @@ title: Create an Inbound Program or Service Rule (Windows) description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Inbound Program or Service Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index e38e364c07..9c6df54f31 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -2,28 +2,30 @@ title: Create an Outbound Port Rule (Windows) description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Outbound Port Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. @@ -45,13 +47,13 @@ To create an outbound port rule 5. On the **Program** page, click **All programs**, and then click **Next**. -6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number. +6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number. - If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it. + If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. - When you have configured the protocols and ports, click **Next**. + When you've configured the protocols and ports, click **Next**. 7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index ec94f13e2b..79eb7dda0d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,24 +1,26 @@ --- title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Outbound Program or Service Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 6e4429688b..2fec297236 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,26 +1,28 @@ --- title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create Inbound Rules to Support RPC -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. +To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. **Administrative credentials** @@ -77,7 +79,7 @@ In this topic: 3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**. -4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service does not appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. +4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. 5. Click **OK**, and then click **Next**. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 502b0b5b91..3b6a633dbf 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,23 +1,25 @@ --- title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create Windows Firewall rules in Intune -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above >[!IMPORTANT] >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -45,7 +47,7 @@ Package family names can be retrieved by running the Get-AppxPackage command fro [Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell) Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. -Default ia All. +Default is All. [Learn more](/windows/client-management/mdm/firewall-csp#servicename) @@ -67,9 +69,9 @@ Comma separated list of ranges. For example, *100-120,200,300-320*. Default is A [Learn more](/windows/client-management/mdm/firewall-csp#remoteportranges) ## Local addresses -Comma separated list of local addresses covered by the rule. Valid tokens include: -- \* indicates any local address. If present, this must be the only token included. -- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. +Comma-separated list of local addresses covered by the rule. Valid tokens include: +- \* indicates any local address. If present, this token must be the only one included. +- A subnet can be specified using either the subnet mask or network prefix notation. If a subnet mask or a network prefix isn't specified, the subnet mask default is 255.255.255.255. - A valid IPv6 address. - An IPv4 address range in the format of "start address-end address" with no spaces included. - An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. @@ -78,7 +80,7 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ ## Remote addresses List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include: -- \* indicates any remote address. If present, this must be the only token included. +- \* indicates any remote address. If present, this token must be the only one included. - Defaultgateway - DHCP - DNS @@ -103,7 +105,7 @@ Indicates whether edge traversal is enabled or disabled for this rule. The EdgeT [Learn more](/windows/client-management/mdm/firewall-csp#edgetraversal) ## Authorized users -Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. Default is all users. +Specifies the list of authorized local users for this rule. A list of authorized users can't be specified if the rule being authored is targeting a Windows service. Default is all users. [Learn more](/windows/client-management/mdm/firewall-csp#localuserauthorizedlist) diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 1b2931e18d..2bdb97ef09 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,24 +1,26 @@ --- title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create WMI Filters for the GPO -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 7e365c2fbf..0b2d46c86c 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,24 +1,26 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Designing a Windows Defender Firewall with Advanced Security Strategy -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. @@ -32,17 +34,17 @@ The information that you gather will help you answer the following questions. Th - What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs? -- What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec? +- What traffic on the network can't be protected by IPsec because the devices or devices sending or receiving the traffic don't support IPsec? - For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required? -- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use. +- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you don't, then you can't use Group Policy for easy mass deployment of your firewall and connection security rules. You also can't easily take advantage of Kerberos V5 authentication that all domain clients can use. -- Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain? +- Which devices must be able to accept unsolicited inbound connections from devices that aren't part of the domain? - Which devices contain data that must be encrypted when exchanged with another computer? -- Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices? +- Which devices contain sensitive data to which access must be restricted to authorized users and devices? - Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall? diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index cdbb54af14..7cc8bd8b35 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,26 +1,28 @@ --- title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Determining the Trusted State of Your Devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. +After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this communication can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. >**Note:**  In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. @@ -47,7 +49,7 @@ When a device is considered trusted, other trusted devices can reasonably assume Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. -A possible list of technology requirements might include the following: +A possible list of technology requirements might include: - **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008. @@ -75,7 +77,7 @@ For each device that is assigned a trustworthy status, make an accompanying conf Generally, trustworthy devices fall into one of the following two groups: -- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement. +- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, more configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement. - **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: @@ -83,9 +85,9 @@ Generally, trustworthy devices fall into one of the following two groups: - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, can't be considered trusted until these applications are installed and active. - - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device. + - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or another software that forces the required hardware upgrade. For example, security software might require more hard disk space on the device. - - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). + - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100 megahertz \[MHz\] x86-based device). Use these groups to assign costs for implementing the solution on the devices that require upgrades. @@ -101,9 +103,9 @@ During the process of categorizing an organization's devices, you'll identify so There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: -- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). +- **Devices that run unsupported versions of Windows.** These versions include Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). -- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain. +- **Stand-alone devices.** Devices running any version of Windows which are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain. - **Devices in an untrusted domain.** A device that is a member of a domain that isn't trusted by an organization's IT department can't be classified as trusted. An untrusted domain is a domain that can't provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities can't be fully guaranteed when devices aren't in a trusted domain. @@ -139,6 +141,6 @@ The device SERVER001 is "trustworthy" because it meets the hardware requirements With the other information that you've gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. -The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. +The costs identified in this section only capture the projected cost of the device upgrades. Many more design, support, test, and training costs should be accounted for in the overall project plan. **Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 4b52443989..95dc6e163c 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,26 +1,28 @@ --- title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Documenting the Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: +Generally, the task of determining zone membership isn't complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: | Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | | - | - | - | - | - | - | diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index d3e12bfc41..82b302fd7b 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,24 +1,26 @@ --- title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Domain Isolation Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. @@ -30,11 +32,11 @@ The following illustration shows the traffic protection needed for this design e ![domain isolation policy design.](images/wfas-design2example1.gif) -1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. +1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that isn't authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. -2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which are not members of Woodgrove Bank's domain. +2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which aren't members of Woodgrove Bank's domain. -3. Client devices can initiate non-authenticated outbound communications with devices that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. +3. Client devices can initiate non-authenticated outbound communications with devices that aren't members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. 4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. @@ -46,13 +48,13 @@ The following illustration shows the traffic protection needed for this design e Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network. -Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. +Setting up groups as described here ensures that you don't have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. -The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, simply add the device's account in the appropriate group. +The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, add the device's account in the appropriate group. -- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. +- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO doesn't apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. -- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group. +- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that can't participate in domain isolation, such as a DHCP server running UNIX, is added to this group. - **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index ac3e4beadc..340f62976e 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,58 +1,60 @@ --- title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Domain Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. -This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After implementing the new rules, your devices reject unsolicited network traffic from devices that are not members of the isolated domain. +This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After the new rules are implemented, your devices reject unsolicited network traffic from devices that aren't members of the isolated domain. The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. -By using connection security rules based on IPsec, you provide a logical barrier between devices even if they are connected to the same physical network segment. +By using connection security rules based on IPsec, you provide a logical barrier between devices even if they're connected to the same physical network segment. The design is shown in the following illustration, with the arrows that show the permitted communication paths. ![isolated domain boundary zone.](images/wfasdomainisoboundary.gif) -Characteristics of this design, as shown in the diagram, include the following: +Characteristics of this design, as shown in the diagram, include: -- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This includes unauthenticated traffic to devices that are not in the isolated domain. Devices that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). +- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This traffic includes unauthenticated traffic to devices that aren't in the isolated domain. Devices that can't join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). - Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet. - Devices in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a device that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated. + Devices in the boundary zone request but don't require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member, the traffic is authenticated. When a device that isn't part of the isolated domain communicates with a boundary zone member the traffic isn't authenticated. Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices. -- Trusted non-domain members (area C) - Devices on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. +- Trusted non-domain members (area C) - Devices on the network that aren't domain members or that can't use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. -- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. +- Untrusted non-domain members (area D) - Devices that aren't managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. -After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. +After this design is implemented, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. > [!IMPORTANT] > This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. -In order to expand the isolated domain to include Devices that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). +In order to expand the isolated domain to include Devices that can't be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). For more info about this design: diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index c17b29ef65..123058b8dd 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,26 +1,28 @@ --- title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Enable Predefined Inbound Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. +Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. **Administrative credentials** @@ -36,6 +38,6 @@ To deploy predefined firewall rules that allow inbound network traffic for commo 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they're all selected. For rules that you don't want to deploy, clear the check boxes next to the rules, and then click **Next**. 6. On the **Action** page, select **Allow the connection**, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 782c3d49fc..000488608e 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,26 +1,28 @@ --- title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Enable Predefined Outbound Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. +By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically doesn't enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. **Administrative credentials** @@ -36,7 +38,7 @@ To deploy predefined firewall rules that block outbound network traffic for comm 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They are all selected by default. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They're all selected by default. For rules that you don't want to deploy, clear the check boxes next to the rules, and then click **Next**. 6. On the **Action** page, select **Block the connection**, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index f246825b19..bcca4ec64f 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,27 +1,29 @@ --- title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Encryption Zone GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. -The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. +The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. - [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 8a6dd9db87..7038a7f49d 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,37 +1,39 @@ --- title: Encryption Zone (Windows) -description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted. -ms.reviewer: -ms.author: dansimp +description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted. +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Encryption Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. +Some servers in the organization host data that's sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it's transferred between devices. -To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted. +To support the other security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted. -You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. +You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. ## GPO settings for encryption zone servers running at least Windows Server 2008 -The GPO for devices that are running at least Windows Server 2008 should include the following: +The GPO for devices that are running at least Windows Server 2008 should include: - IPsec default settings that specify the following options: @@ -39,11 +41,11 @@ The GPO for devices that are running at least Windows Server 2008 should includ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, use ESP encapsulation.. - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. - The following connection security rules: @@ -52,7 +54,7 @@ The GPO for devices that are running at least Windows Server 2008 should includ - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + Be sure to begin operations by using request in and request out behavior until you're sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 9cd638e39c..3096a8342b 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,24 +1,26 @@ --- title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) description: Evaluating Windows Defender Firewall with Advanced Security Design Examples -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Evaluating Windows Defender Firewall with Advanced Security Design Examples -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index dee6778a40..d6de9a861d 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,24 +1,26 @@ --- title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Exempt ICMP from Authentication -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index a150d214f5..ac27c34d95 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,42 +1,44 @@ --- title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Exemption List -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you're likely to find more challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers can't require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. -In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. +In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices can't use IPsec to access, which would be added to the exemption list. Generally, the following conditions are reasons to consider adding a device to the exemption list: -- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation. +- If the device must be accessed by trusted devices but it doesn't have a compatible IPsec implementation. -- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone. +- If the device must provide services to both trusted and untrusted devices, but doesn't meet the criteria for membership in the boundary zone. -- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other. +- If the device must be accessed by trusted devices from different isolated domains that don't have an Active Directory trust relationship established with each other. - If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. -- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices. +- If the device must support trusted and untrusted devices, but can't use IPsec to help secure communications to trusted devices. -For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following: +For large organizations, the list of exemptions might grow large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following effects: - Reduces the overall effectiveness of isolation. diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index ad4e1359c3..f13a1094ec 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -1,17 +1,23 @@ --- title: Filter origin audit log improvements description: Filter origin documentation audit log improvements -ms.reviewer: -ms.author: v-bshilpa +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: normal -author: Benny-54 -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: - m365-security-compliance - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Filter origin audit log improvements @@ -24,7 +30,7 @@ Typically, when investigating packet drop events, a customer would use the field The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. -However, the filter ID is not a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This makes the diagnosis process error-prone and difficult. +However, the filter ID isn't a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This change in ID makes the diagnosis process error-prone and difficult. For customers to debug packet drop events correctly and efficiently, they would need more context about the blocking filter such as its origin. @@ -48,7 +54,7 @@ The blocking filters can be categorized under these filter origins: g. Windows Service Hardening (WSH) default -The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release. +The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases. ## Improved firewall audit @@ -95,7 +101,7 @@ After identifying the rule that caused the drop, the network admin can now modif **AppContainer loopback** -Network drop events from the AppContainer loopback block filter origin occur when localhost loopback is not enabled properly for the Universal Windows Platform (UWP) app. +Network drop events from the AppContainer loopback block filter origin occur when localhost loopback isn't enabled properly for the Universal Windows Platform (UWP) app. To enable localhost loopback in a local debugging environment, see [Communicating with localhost](/windows/iot-core/develop-your-app/loopback). @@ -103,7 +109,7 @@ To enable localhost loopback for a published app that requires loopback access t **Boottime default** -Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service is not yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it is not possible to add boottime filters through firewall rules. +Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service isn't yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it's not possible to add boottime filters through firewall rules. **Quarantine default** @@ -125,9 +131,9 @@ To learn more about the quarantine feature, see [Quarantine behavior](quarantine **Query user default** -Network packet drops from query user default block filters occur when there is no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but does not have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops: +Network packet drops from query user default block filters occur when there's no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but doesn't have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops: -1. Create an inbound firewall rule to allow the packet for this application. This will allow the packet to bypass any query user default block filters. +1. Create an inbound firewall rule to allow the packet for this application. This packet will allow the packet to bypass any query user default block filters. 2. Delete any block query user rules that may have been auto generated by the firewall service. @@ -141,7 +147,7 @@ Get-NetFirewallRule | Where {$_.Name -like "*Query User*"} The query user pop-up feature is enabled by default. -To disable the query user pop-up, you can run the following in administrative command prompt: +To disable the query user pop-up, you can run the following command in administrative command prompt: ```Console Netsh set allprofiles inboundusernotification disable @@ -160,10 +166,10 @@ To disable stealth-mode, see [Disable stealth mode in Windows](/troubleshoot/win **UWP default** -Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback is not enabled) or the private range is configured incorrectly. +Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback isn't enabled) or the private range is configured incorrectly. For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](./troubleshooting-uwp-firewall.md). **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block isn't expected. diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index 9cac69201b..80b417b9a0 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,24 +1,26 @@ --- title: Firewall GPOs (Windows) -description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain. -ms.reviewer: -ms.author: dansimp +description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain. +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Firewall GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 6152948655..d52cb81f95 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,24 +1,26 @@ --- title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Basic Firewall Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In this example, the fictitious company Woodgrove Bank is a financial services institution. @@ -26,11 +28,11 @@ Woodgrove Bank has an Active Directory domain that provides Group Policy-based m Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. -A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. +A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing—they don't store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. ## Design requirements -The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted. +The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide another security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that isn't wanted. The following illustration shows the traffic protection needs for this design example. @@ -40,23 +42,23 @@ The following illustration shows the traffic protection needs for this design ex 2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response. -3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it. +3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients don't poll for this unsolicited traffic, but must be able to receive it. 4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses. -5. There is no direct communications between the client devices and the WGBank back-end devices. +5. There's no direct communications between the client devices and the WGBank back-end devices. -6. There is no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers. +6. There's no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers. -7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs. +7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that don't require an outside server. Firewall rules must block the network traffic created by these programs. 8. The WGBank partner servers can receive inbound requests from partner devices through the Internet. Other traffic notes: -- Devices are not to receive any unsolicited traffic from any computer other than specifically allowed above. +- Devices aren't to receive any unsolicited traffic from any computer other than allowed above. -- Other outbound network traffic from the client devices not specifically identified in this example is permitted. +- Other outbound network traffic from the client devices not identified in this example is permitted. ## Design details @@ -77,23 +79,23 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t - DHCP servers that run the UNIX operating system -After evaluating these sets of devices, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct devices. +After the Woodgrove Bank network administrators evaluated these sets of devices, and compared them to the Active Directory organizational unit (OU) structure, they determined that there wasn't a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs won't be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it's applied to the correct devices. -Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. +Setting up groups as described here ensures that you don't have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups: - **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices. - The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. + The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also has security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. - Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. - - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices. + - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update aren't included, because it's not needed on server devices. All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network. -- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group. +- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group don't receive the default firewall GPO. Devices are added to this group if there's a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it's a member of this group. - **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO. @@ -105,7 +107,7 @@ The following groups were created by using the Active Directory Users and Comput - **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO. -In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. +In your own design, create a group for each computer role in your organization that requires different or more firewall rules. For example, file servers and print servers require more rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there's a security reason not to include it there. **Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md index db56dcc84e..9d3ccfc6b4 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -1,17 +1,23 @@ --- title: Troubleshooting Windows Firewall settings after a Windows upgrade description: Firewall settings lost on upgrade -ms.reviewer: -ms.author: v-bshilpa +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: Benny-54 -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: - m365-security-compliance - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Troubleshooting Windows Firewall settings after a Windows upgrade @@ -26,7 +32,7 @@ To help you organize your list, individual built-in firewall rules are categoriz - Remote Desktop – User Mode (TCP-In) - Remote Desktop – User-Mode (UDP-In) -Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows admins to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch. +Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows administrators to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this filtering by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch. ```Powershell Get-NetFirewallRule -Group @@ -35,6 +41,6 @@ Get-NetFirewallRule -Group > [!NOTE] > Microsoft recommends to enable or disable an entire group instead of individual rules. -Microsoft recommends that you enable/disable all of the rules within a group instead of one or two individual rules. This is because groups are not only used to organize rules and allow batch rule modification by type, but they also represent a 'unit' by which rule state is maintained across a Windows upgrade. Rule groups, as opposed to individual rules, are the unit by which the update process determines what should be enabled/disabled when the upgrade is complete. +Microsoft recommends that you enable/disable all of the rules within a group instead of one or two individual rules. This recommendation is because groups aren't only used to organize rules and allow batch rule modification by type, but they also represent a 'unit' by which rule state is maintained across a Windows upgrade. Rule groups, as opposed to individual rules, are the unit by which the update process determines what should be enabled/disabled when the upgrade is complete. -For example, the Remote Desktop group consists of three rules. To ensure that the rule set is properly migrated during an upgrade, all three rules must be enabled. If only one rule is enabled, the upgrade process will see that two of three rules are disabled and subsequently disable the entire group to maintain a clean, out-of-the-box configuration. This scenario has the unintended consequence of breaking Remote Desktop Protocol (RDP) connectivity to the host. +For example, the Remote Desktop group consists of three rules. To ensure that the rule set is properly migrated during an upgrade, all three rules must be enabled. If only one rule is enabled, the upgrade process will see that two of three rules are disabled and then disable the entire group to maintain a clean, out-of-the-box configuration. This scenario has the unintended consequence of breaking Remote Desktop Protocol (RDP) connectivity to the host. diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index fe4d111ad1..8725d0c4ed 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,26 +1,28 @@ --- title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Information about Your Active Directory Deployment -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: +Active Directory is another important item about which you must gather information. You must understand the forest structure. This structure includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: - **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation. @@ -28,10 +30,10 @@ Active Directory is another important item about which you must gather informati - **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between devices in different Active Directory domains. -- **Names and number of sites**. Site architecture is usually aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment. +- **Names and number of sites**. Site architecture is aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment. -- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices. +- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You don't have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices. -- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other. +- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 aren't compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other. **Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md) diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 0c7ab93228..bfe7c5a55b 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,75 +1,77 @@ --- title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Information about Your Current Network Infrastructure -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: -- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them. +- **Network segmentation**. This component includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them. - Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side. -- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible. +- Network infrastructure devices. These devices include the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible. -- **Current network traffic model.** This includes the quantity and the characteristics of the network traffic flowing through your network. +- **Current network traffic model.** This component includes the quantity and the characteristics of the network traffic flowing through your network. -- Intrusion Detection System (IDS) devices. You will need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone. +- Intrusion Detection System (IDS) devices. You'll need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone. The goal is to have enough information to be able to identify an asset by its network location, in addition to its physical location. -Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation. +Don't use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation. -This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation. +This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it doesn't try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation. ## Network segmentation -If your organization does not have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information is not current or has not been validated recently, you have two options: +If your organization doesn't have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information isn't current or hasn't been validated recently, you have two options: - Accept that the lack of accurate information can cause risk to the project. - Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology. -Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization. +Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, don't include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization. -During this process, you might discover some network applications and services that are not compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization. +During this process, you might discover some network applications and services that aren't compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization. Other examples of incompatibility include: -- Cisco NetFlow on routers cannot analyze packets between IPsec members based on protocol or port. +- Cisco NetFlow on routers can't analyze packets between IPsec members based on protocol or port. -- Router-based Quality of Service (QoS) cannot use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic are not affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" does not work, but a rule that says "From anyone to 10.0.1.10 prioritize" works. +- Router-based Quality of Service (QoS) can't use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic aren't affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" doesn't work, but a rule that says "From anyone to 10.0.1.10 prioritize" works. - Weighted Fair Queuing and other flow-based router traffic priority methods might fail. -- Devices that do not support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP). +- Devices that don't support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP). -- Router access control lists (ACLs) cannot examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device cannot parse ESP, any ACLs that specify port or protocol rules will not be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules will not be processed on the ESP packets. +- Router access control lists (ACLs) can't examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device can't parse ESP, any ACLs that specify port or protocol rules won't be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules won't be processed on the ESP packets. -- Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null). +- Network monitoring tools might be unable to parse ESP packets that aren't encrypted (ESP-Null). >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide).   ## Network address translation (NAT) -IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T does not support the use of AH across NAT devices. +IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T doesn't support the use of AH across NAT devices. ## Network infrastructure devices @@ -77,9 +79,9 @@ The devices that make up the network infrastructure (routers, switches, load bal - **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported. -- **Amount of RAM**. This information is useful when you are analyzing capacity or the impact of IPsec on the device. +- **Amount of RAM**. This information is useful when you're analyzing capacity or the impact of IPsec on the device. -- **Traffic analysis**. Information, such as peak usage and daily orweekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it is used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device. +- **Traffic analysis**. Information, such as peak usage and daily or weekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it's used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device. - **Router ACLs that affect IPsec directly**. ACLs directly affect the ability of specific protocols to function. For example, blocking the Kerberos V5 protocol (UDP and TCP port 88) or IP protocol 50 or 51 prevents IPsec from working. Devices must also be configured to allow IKE traffic (UDP port 500) if using NAT-T (UDP port 4500). @@ -91,15 +93,15 @@ The devices that make up the network infrastructure (routers, switches, load bal >**Note:**  If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly. -- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS does not have such a parser, it cannot determine if data in those packets is encrypted. +- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS doesn't have such a parser, it can't determine if data in those packets is encrypted. After you obtain this information, you can quickly determine whether you must upgrade the devices to support the requirements of the project, change the ACLs, or take other measures to ensure that the devices can handle the loads needed. ## Current network traffic model -After gathering the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that is not secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet. +After you gather the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that isn't secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet. -When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as: +When you examine traffic flow, look closely at how all managed and unmanaged devices interact. These devices include non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as: - Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols? @@ -109,9 +111,9 @@ When you examine traffic flow, look closely at how all managed and unmanaged dev Some of the more common applications and protocols are as follows: -- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it is common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that does not use the security context of a known user or entity. Frequently, these sessions are anonymous. +- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it's common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that doesn't use the security context of a known user or entity. Frequently, these sessions are anonymous. -- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. +- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means to open the RPC listener port, and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. - **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 6d7e499d9c..eb25dfbbce 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,34 +1,36 @@ --- title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Information about Your Devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. Capture the following information from each device: -- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness should not be considered absolute. +- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness shouldn't be considered absolute. -- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change. +- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address isn't an effective way to identify an asset because it's often subject to change. -- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met. +- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It's also important to track the current state of service packs and updates that might be installed, because these packs and updates are often used to determine that minimum security standards have been met. - **Domain membership**. This information is used to determine whether a device can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy. @@ -38,7 +40,7 @@ Capture the following information from each device: After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements. -You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy. +You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy. ## Automated Discovery @@ -52,7 +54,7 @@ The biggest difference between manual discovery methods and automated methods is You can use Windows PowerShell to create a script file that can collect the system configuration information. For more information, see [Windows PowerShell Scripting](https://go.microsoft.com/fwlink/?linkid=110413). -Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory. +Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all other changes must be recorded and the updates noted in the inventory. This inventory will be critical for planning and implementing your Windows Defender Firewall design. diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index fe22f964b8..27ebec7226 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,26 +1,28 @@ --- title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Other Relevant Information -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. +This topic discusses several other things that you should examine to see whether they'll cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. ## Capacity considerations @@ -30,7 +32,7 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con - **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5  KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization. -- **NAT devices.** As discussed earlier, NAT does not allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH. +- **NAT devices.** As discussed earlier, NAT doesn't allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH. - **Switches and routers.** Proper capacity planning for the implementation of IPsec is more about thorough testing and expected traffic loads than exact calculations. You might have to upgrade or reconfigure switches or routers that currently exceed 75 percent usage to allow for increased traffic on the device and still provide some extra usage for bursts of traffic. @@ -40,40 +42,40 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con ## Group Policy deployment groups and WMI filters -You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices. +You don't have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It's not necessary to use this technique if your network consists of devices. ## Different Active Directory trust environments When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method. -Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389. +Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains, then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389. -If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication. +If the use of Kerberos V5 authentication isn't possible because two-way trusts across forests can't be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication. ## Creating firewall rules to permit IKE, AH, and ESP traffic -In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. In the case of a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded. +In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. If there's a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded. -In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected. +If there's a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected. ## Network load balancing and server clusters There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted. -This means that NLB in "no affinity" mode is not supported by IPsec at all. If you must use "no affinity" mode in the cluster then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec. +This dropping of traffic means that NLB in "no affinity" mode isn't supported by IPsec at all. If you must use "no affinity" mode in the cluster, then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec. When a TCP connection is dropped because of a cluster node failover, IPsec detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out. ## Network inspection technologies -Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some are not yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device. +Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some aren't yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device. -Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic. +Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, can't parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic. -In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there is no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you cannot upgrade monitoring or management devices to support IPsec, it is important that you record this information and figure it into your domain or server isolation design. +In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there's no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you can't upgrade monitoring or management devices to support IPsec, it's important that you record this information and figure it into your domain or server isolation design. -Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices. +Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor can't parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices. Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide). diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index 0599090184..5f8c2be8fe 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,26 +1,28 @@ --- title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering the Information You Need -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. +Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information isn't accurate, problems can occur when devices and devices that weren't considered during the planning phase are encountered during implementation. Review each of the following articles for guidance about the kinds of information that you must gather: diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index adfb2e0acb..a9b3bb3f08 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,28 +1,30 @@ --- title: GPO\_DOMISO\_Boundary (Windows) -description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. -ms.reviewer: -ms.author: dansimp +description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices. +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_Boundary -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. -This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008. +This GPO supports the ability for devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices. It's intended to only apply to server devices that are running at least Windows Server 2008. ## IPsec settings @@ -31,7 +33,7 @@ The copied GPO includes and continues to use the IPsec settings that configure k ## Connection security rules -Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that is not part of the isolated domain connects. +Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that isn't part of the isolated domain connects. ## Registry settings @@ -43,6 +45,6 @@ The boundary zone uses the same registry settings as the isolated domain to opti Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. -Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. +Make sure that the GPO that contains firewall rules for the isolated domain doesn't also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. **Next:** [Encryption Zone GPOs](encryption-zone-gpos.md) diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index bc83b6e60d..9849e51f4d 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,16 +1,22 @@ --- title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. -ms.reviewer: -ms.author: dansimp -author: dansimp -manager: dansimp +ms.reviewer: jekrynit +ms.author: paoloma +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.prod: m365-security ms.localizationpriority: medium ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_Encryption\_WS2008 @@ -18,14 +24,14 @@ ms.technology: windows-sec This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. -This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. +This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It's intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. ## IPsec settings The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain. The following changes are made to encryption zone copy of the GPO: -The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations. +The encryption zone servers require all connections to be encrypted. To do this encryption, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations. ## Connection security rules @@ -44,7 +50,7 @@ Copy the firewall rules for the encryption zone from the GPO that contains the f Change the action for every inbound firewall rule from **Allow the connection** to **Allow only secure connections**, and then select **Require the connections to be encrypted**. -Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. +Make sure that the GPO that contains firewall rules for the isolated domain doesn't also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. **Next:** [Server Isolation GPOs](server-isolation-gpos.md) diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 6cd30ab0e7..c50f026cc3 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,24 +1,26 @@ --- title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_Firewall -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index ce23a063fa..40f53282db 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,26 +1,28 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) -description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.reviewer: -ms.author: dansimp +description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_IsolatedDomain\_Clients -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. +This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. @@ -32,7 +34,7 @@ This GPO provides the following settings: - The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. -- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones. +- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This algorithm is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones. - The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). @@ -75,7 +77,7 @@ This GPO provides the following rules: >**Important:**  On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication. - - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that cannot run Windows or cannot join the domain, but must still participate in the isolated domain. + - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that can't run Windows or can't join the domain, but must still participate in the isolated domain. - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index 3e29726a15..cd7824dccc 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,30 +1,32 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_IsolatedDomain\_Servers -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. +This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to server devices that are running at least Windows Server 2008. -Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: +Because so many of the settings and rules for this GPO are common to those settings and rules in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: -- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). +- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server isn't expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (the example of a server running Windows Server 2008). >**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device. diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 5684e64a1e..393ecebb5b 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,27 +1,29 @@ --- title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Identifying Windows Defender Firewall with Advanced Security implementation goals -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. -The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall implementation goals: +The following table lists the three main tasks for articulating, refining, and later documenting your Windows Defender Firewall implementation goals: | Deployment goal tasks | Reference links | diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 19be53c930..663cee3cb9 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,24 +1,26 @@ --- title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Implementing Your Windows Defender Firewall with Advanced Security Design Plan -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following are important factors in the implementation of your Windows Defender Firewall design plan: @@ -26,11 +28,11 @@ The following are important factors in the implementation of your Windows Defend - **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone. -- **Devices running operating systems other than Windows**. If your network includes devices that are not running the Windows operating system, then you must make sure that required communication with those devices is not blocked by the restrictions put in place by your design. You must do one of the following: +- **Devices running operating systems other than Windows**. If your network includes devices that aren't running the Windows operating system, then you must make sure that required communication with those devices isn't blocked by the restrictions put in place by your design. You must implement one of the following steps: - Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. - - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design. + - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device can't participate in the isolated domain design. ## How to implement your Windows Defender Firewall with Advanced Security design using this guide diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index afdbbb4444..d15da4ef92 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,30 +1,32 @@ --- title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Isolated Domain GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section. -The GPOs created for the Woodgrove Bank isolated domain include the following: +The GPOs created for the Woodgrove Bank isolated domain include: - [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md) diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index 336af76b07..16663963fe 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,16 +1,22 @@ --- title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Isolated Domain @@ -22,9 +28,9 @@ ms.technology: windows-sec The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. -The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. +The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution, the two constructs are similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. -For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. +For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those requirements of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. @@ -33,7 +39,7 @@ The GPOs for the isolated domain should contain the following connection securit ## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008 -GPOs for devices running at least Windows Vista and Windows Server 2008 should include the following: +GPOs for devices running at least Windows Vista and Windows Server 2008 should include: - IPsec default settings that specify the following options: @@ -41,11 +47,11 @@ GPOs for devices running at least Windows Vista and Windows Server 2008 should 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members can't use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. - The following connection security rules: diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index 94c2d1efc2..4da13f6712 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -3,22 +3,24 @@ title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Isolating Microsoft Store Apps on Your Network -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 27ca0787a6..50361255a5 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,24 +1,26 @@ --- title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Link the GPO to the Domain -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index e14954cb74..b729a362be 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,24 +1,26 @@ --- title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Mapping your implementation goals to a Windows Firewall with Advanced Security design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. > [!IMPORTANT] diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 20c89d309f..ce5e5032ad 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,24 +1,26 @@ --- title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Modify GPO Filters to Apply to a Different Zone or Version of Windows -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 27d55010fe..2a59a2ec1e 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,24 +1,26 @@ --- title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Open the Group Policy Management Console to IP Security Policies -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 6b414fd0e1..fbbda89fb9 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,24 +1,26 @@ --- title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Group Policy Management of Windows Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 7c1ef5c3ab..548d290e41 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,24 +1,26 @@ --- title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Group Policy Management of Windows Defender Firewall -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To open a GPO to Windows Defender Firewall: diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 31a3fba50f..7d3b9aafd8 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,24 +1,26 @@ --- title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Open Windows Defender Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index e0e0de7084..6ed68f701c 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,26 +1,28 @@ --- title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Certificate-based Authentication -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. +Sometimes a device can't join an Active Directory domain, and therefore can't use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device. @@ -48,12 +50,12 @@ You must also import the purchased certificate into a GPO that deploys it to the ### Using a commercially purchased certificate for devices running a non-Windows operating system -If you are installing the certificates on an operating system other than Windows, see the documentation for that operating system. +If you're installing the certificates on an operating system other than Windows, see the documentation for that operating system. ## Configuring IPsec to use the certificates When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution. -Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. +Starting in Windows Server 2012, you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, and name restrictions and certificate thumbprints. This EKU is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. **Next:** [Documenting the Zones](documenting-the-zones.md) diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index 8732491e55..0edcdd46c3 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,30 +1,32 @@ --- title: Planning Domain Isolation Zones (Windows) -description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Domain Isolation Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic. -The zones described in this guide include the following: +The zones described in this guide include: - [Exemption List](exemption-list.md) diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index fcdef1ec8f..12a6970f24 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,32 +1,34 @@ --- title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning GPO Deployment -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can control which GPOs are applied to devices in Active Directory in a combination of three ways: -- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO. +- **Active Directory organizational unit hierarchy**. This method involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO. Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. -- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO. +- **Security group filtering**. This method involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO. The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. @@ -42,7 +44,7 @@ This guide uses a combination of security group filtering and WMI filtering to p ## Test your deployed groups and GPOs -After you have deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members: +After you've deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members: - Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt. @@ -54,17 +56,17 @@ After you have deployed your GPOs and added some test devices to the groups, con - Verify that your programs are unaffected. Run them and confirm that they still work as expected. -After you have confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices. +After you've confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices. -## Do not enable require mode until deployment is complete +## Don't enable require mode until deployment is complete If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec. If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications. -Only after you have added all of the devices to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. +Only after you've added all of the devices to their zones, and you've confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it's required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they're functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. -Do not change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections. +Don't change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections. If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups. diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 46f1ec18cd..a63f2b239f 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,28 +1,30 @@ --- title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Group Policy Deployment for Your Isolation Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. +After you've decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. -You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct devices within each group. +You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you'll ensure that the policies will only apply to the correct devices within each group. - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 703b785517..ee193d5c3d 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,26 +1,28 @@ --- title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Isolation Groups for the Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. +Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group that represents that zone. > [!CAUTION] > Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. @@ -31,15 +33,15 @@ The following table lists typical groups that can be used to manage the domain i | Group name | Description | | - | - | -| CG_DOMISO_No_IPsec | A universal group of device accounts that do not participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
                                This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.| -| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
                                During the early days of testing, this group might contain only a very small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
                                Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| +| CG_DOMISO_No_IPsec | A universal group of device accounts that don't participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
                                This group is used in security group filters to ensure that GPOs with IPsec rules aren't applied to group members.| +| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
                                During the early days of testing, this group might contain only a small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
                                Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| | CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.

                                Members of this group receive a GPO that specifies that authentication is requested, but not required.| | CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
                                Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections. | CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
                                Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
                                There will be one group for each set of servers that have different user and device restriction requirements. | Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md). -If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. +If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it's more specific. **Next:** [Planning Network Access Groups](planning-network-access-groups.md) diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 115c4bc0b4..ebc3e779ce 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,24 +1,26 @@ --- title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Network Access Groups -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. @@ -26,7 +28,7 @@ Minimize the number of NAGs to limit the complexity of the solution. You need on The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership. -For the Woodgrove Bank scenario, access to the devices running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. +For the Woodgrove Bank scenario, access to the devices running SQL Server which support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They're also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. | NAG Name | NAG Member Users, Computers, or Groups | Description | | - | - | - | diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index 7c7ab8b78d..6cdcc36dc6 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,36 +1,38 @@ --- title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Server Isolation Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices. -To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device is not a member of a required NAG then the network connection is refused. +To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This invocation causes IKE to use Kerberos V5 to exchange credentials with the server. The other firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device isn't a member of a required NAG, then the network connection is refused. ## Isolated domains and isolated servers -If you are using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user. +If you're using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user. -If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. +If you aren't using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. ## Creating multiple isolated server zones @@ -44,7 +46,7 @@ An isolated server is often a member of the encryption zone. Therefore, copying ### GPO settings for isolated servers running at least Windows Server 2008 -GPOs for devices running at least Windows Server 2008 should include the following: +GPOs for devices running at least Windows Server 2008 should include: >**Note:**  The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. @@ -52,16 +54,16 @@ GPOs for devices running at least Windows Server 2008 should include the follow 1. Exempt all ICMP traffic from IPsec. - 2. Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + 2. Key exchange (main mode) security methods and algorithm. We recommend that you don't include Diffie-Hellman Group 1, DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs. + If any NAT devices are present on your networks, don't use AH because it can't traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs. - 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else devices that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Don't make the user-based authentication method mandatory, or else devices that can't use AuthIP instead of IKE, including Windows XP and Windows Server 2003, can't communicate. Likewise, if any of your domain isolation members can't use Kerberos V5, include certificate-based authentication as an optional authentication method. - The following connection security and firewall rules: - +s - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index 5aed4df804..f4bcdca804 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,30 +1,32 @@ --- title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Settings for a Basic Firewall Policy -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. +After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. -The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis: +The following list is that of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis: -- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. +- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they aren't on the organization's network, you can't fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. >**Important:**  We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices. @@ -36,17 +38,17 @@ The following is a list of the firewall settings that you might consider for inc - **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise. -- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows does not create a new firewall rule and the traffic remains blocked. +- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this setting to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows doesn't create a new firewall rule and the traffic remains blocked. - If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs then you can set this value to **No**. + If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs, then you can set this value to **No**. - **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot. - **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions. -- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. +- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program can't receive unexpected traffic on a different port. - Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required. + Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they don't open up more ports than are required. >**Important:**  If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 054cd6b4c9..1a921ebe00 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,24 +1,26 @@ --- title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning the GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. @@ -26,7 +28,7 @@ When you plan the GPOs for your different isolation zones, you must complete the A few things to consider as you plan the GPOs: -- Do not allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior. +- Don't allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This receipt of multiple GPOs can result in unexpected, and difficult to troubleshoot behavior. The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones. @@ -43,13 +45,13 @@ A few things to consider as you plan the GPOs: > [!NOTE] > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. -After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. +After you consider these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. ## Woodgrove Bank example GPOs The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. -In this section you can find information about the following: +In this section you can find information about: - [Firewall GPOs](firewall-gpos.md) diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 1bb9e49550..1411d23007 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,24 +1,26 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning to Deploy Windows Defender Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. @@ -38,11 +40,11 @@ The design team's strategy for determining how WMI and security group filters at ### Configure communication between members and devices -Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. +Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that aren't part of the isolated domain or members of the isolated domain's exemption list. ### Exempt domain controllers from IPsec authentication requirements -It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. +It's recommended that domain controllers are exempt from IPsec authentication requirements. If they aren't exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. ### Configure IPsec authentication rules @@ -58,7 +60,7 @@ For all devices to communicate with each other, they must share a common set of: - Quick mode data integrity algorithms -If at least one set of each does not match between two devices, then the devices cannot successfully communicate. +If at least one set of each doesn't match between two devices, then the devices can't successfully communicate. ## Deploy your Windows Firewall Design Plan diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index c88257ead5..9d104e67c2 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,36 +1,38 @@ --- title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Your Windows Defender Firewall with Advanced Security Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. +After you've gathered the relevant information in the previous sections, and understood the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. ## Basic firewall design We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. -When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section. +When you're ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section. ## Algorithm and method support and selection -To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths. +To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, and their relative strengths. ## IPsec performance considerations @@ -45,11 +47,11 @@ Include this design in your plans: - If you have an Active Directory domain of which most of the devices are members. -- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that are not part of the domain. +- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that aren't part of the domain. -If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. +If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you're sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you're troubleshooting. -When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. +When you're ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. ## Server isolation design @@ -58,38 +60,38 @@ Include this design in your plans: - If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices. -- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices. +- You aren't deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices. -If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements. +If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the other server isolation elements. -When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section. +When you're ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section. ## Certificate-based authentication design Include this design in your plans: -- If you want to implement some of the elements of domain or server isolation on devices that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism. +- If you want to implement some of the elements of domain or server isolation on devices that aren't joined to an Active Directory domain, or don't want to use domain membership as an authentication mechanism. -- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the device is not running Windows, or for any other reason. +- You have an isolated domain and want to include a server that isn't a member of the Active Directory domain because the device isn't running Windows, or for any other reason. -- You must enable external devices that are not managed by your organization to access information on one of your servers, and want to do this in a secure way. +- You must enable external devices that aren't managed by your organization to access information on one of your servers in a secure way. If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it. -When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section. +When you're ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section. ## Documenting your design -After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team. +After you finish selecting the designs that you'll use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team. - [Documenting the Zones](documenting-the-zones.md) ## Designing groups and GPOs -After you have selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your devices. +After you've selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you'll use to apply the settings and rules to your devices. -When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. +When you're ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. **Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index 8c98be2b77..b12f025700 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,24 +1,26 @@ --- title: Procedures Used in This Guide (Windows) description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Procedures Used in This Guide -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index ba994c905e..e143a06c23 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,32 +1,34 @@ --- title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/18/2022 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Protect devices from unwanted network traffic -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. +Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall can't protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable devices are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/security-intelligence-report). -Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network. +Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide extra protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it's away from the organization's network. -A host-based firewall helps secure a device by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits: +A host-based firewall helps secure a device by dropping all network traffic that doesn't match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits: - Network traffic that is a reply to a request from the local device is permitted into the device from the network. @@ -34,7 +36,7 @@ A host-based firewall helps secure a device by dropping all network traffic that For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program. -- Outbound network traffic that is not specifically blocked is allowed on the network. +- Outbound network traffic that isn't blocked is allowed on the network. For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted. @@ -42,6 +44,6 @@ The following component is recommended for this deployment goal: - **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. -Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. +Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to large organizations. **Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index 42338ede59..c914408573 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -1,25 +1,31 @@ --- title: Quarantine behavior description: Quarantine behavior is explained in detail. -ms.author: v-bshilpa -author: Benny-54 -manager: dansimp -ms.reviewer: +ms.author: paoloma +author: paolomatarazzo +manager: aaroncz +ms.reviewer: jekrynit ms.prod: m365-security ms.localizationpriority: normal ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Quarantine behavior One of the security challenges that network admins face is configuring a machine properly after a network change. -Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities. +Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This requirement by operations is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities. -To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine. +To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network, and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine. While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations. @@ -50,7 +56,7 @@ For more information about WFP layers and sublayers, see [WFP Operation](/window ### Quarantine default inbound block filter -The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet is not explicitly permitted by another filter in the quarantine sublayer. +The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet isn't explicitly permitted by another filter in the quarantine sublayer. ### Quarantine default exception filters @@ -62,9 +68,9 @@ The interface un-quarantine filters allow all non-loopback packets if the interf ## Quarantine flow -The following describes the general flow of quarantine: +The following events describe the general flow of quarantine: -1. There is some change on the current network interface. +1. There's some change on the current network interface. 2. The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state. @@ -102,7 +108,7 @@ The `netEvent` will have more information about the packet that was dropped incl If the filter that dropped that packet was by the quarantine default inbound block filter, then the drop `netEvent` will have `filterOrigin` as `Quarantine Default`. -The following is a sample `netEvent` with `filterOrigin` as `Quarantine Default`. +The following code is a sample `netEvent` with `filterOrigin` as `Quarantine Default`. ```XML @@ -202,8 +208,8 @@ Get-NetIPInterface –InterfaceIndex 5 ![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png) -Using the interface name, event viewer can be searched for any interface related changes. +With the help of the interface name, event viewer can be searched for any interface related changes. To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)). -Packet drops from the quarantine default inbound block filter are often transient and do not signify anything more than a network change on the interface. \ No newline at end of file +Packet drops from the quarantine default inbound block filter are often transient and don't signify anything more than a network change on the interface. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 23025f1e50..eda42f13e6 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,26 +1,28 @@ --- title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Require Encryption When Accessing Sensitive Network Resources -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. +The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it doesn't prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets aren't encrypted. For devices that share sensitive information over the network, Windows Defender Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. @@ -30,7 +32,7 @@ The following illustration shows an encryption zone in an isolated domain. The r This goal provides the following benefits: -- Devices in the encryption zone require authentication to communicate with other devices. This works no differently from the domain isolation goal and design. For more info, see [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md). +- Devices in the encryption zone require authentication to communicate with other devices. This rule works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md). - Devices in the encryption zone require that all inbound and outbound network traffic be encrypted. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index b91f299c18..1b7a5eef66 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,34 +1,36 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Restrict Access to Only Specified Users or Computers -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. -Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). +Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it's likely that you'll create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. You can restrict access by specifying either computer or user credentials. -The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. +The following illustration shows an isolated server, and examples of devices that can and can't communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but aren't members of the required NAG, can't communicate with the isolated server. ![isolated domain with network access groups.](images/wfas-domainnag.gif) @@ -40,7 +42,7 @@ This goal, which corresponds to [Server Isolation Policy Design](server-isolatio - Server isolation can also be configured independently of an isolated domain. To do so, configure only the devices that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. -- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- A server isolation zone can be simultaneously configured as an encryption zone. To do so, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). The following components are required for this deployment goal: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index cc78b7ceb7..83e9ef9191 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,26 +1,28 @@ --- title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Restrict access to only trusted devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. +Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that aren't owned by your organization to your network. Because you don't manage those devices, you can't trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it's truly required. To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. @@ -35,21 +37,21 @@ The following illustration shows an isolated domain, with one of the zones that These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: -- Devices in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another device in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication. +- Devices in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another device in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason can't perform IPsec authentication. - For example, Woodgrove Bank wants all of its devices to block all unsolicited inbound network traffic from any device that it does not manage. The connection security rules deployed to domain member devices require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted. + For example, Woodgrove Bank wants all of its devices to block all unsolicited inbound network traffic from any device that it doesn't manage. The connection security rules deployed to domain member devices require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted. - Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests. - For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this. No additional rules are required. + For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this access. No other rules are required. These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices: -- Devices in the "boundary zone" are configured to use connection security rules that request but do not require authentication. This enables them to receive unsolicited inbound network traffic from untrusted devices, and also to receive traffic from the other members of the isolated domain. +- Devices in the "boundary zone" are configured to use connection security rules that request but don't require authentication. This configuration enables them to receive unsolicited inbound network traffic from untrusted devices, and also to receive traffic from the other members of the isolated domain. - For example, Woodgrove Bank has a server that must be accessed by its partners' devices through the Internet. The rules applied to devices in the boundary zone use authentication when the client device can support it, but do not block the connection if the client device cannot authenticate. + For example, Woodgrove Bank has a server that must be accessed by its partners' devices through the Internet. The rules applied to devices in the boundary zone use authentication when the client device can support it, but don't block the connection if the client device can't authenticate. -- Devices in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it is sent over the network. +- Devices in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it's sent over the network. For example, Woodgrove Bank wants the devices running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those devices. diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index d405ae9ad9..ccd8c1f678 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,24 +1,26 @@ --- title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Restrict Server Access to Members of a Group Only -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index e43a977d74..5de4aeebab 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -3,22 +3,24 @@ title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 20 description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Securing End-to-End IPsec connections by using IKEv2 -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above IKEv2 offers the following: diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index 9f249ae1c5..15f710e53b 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,35 +1,37 @@ --- title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Server Isolation GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. -All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. +All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices aren't expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. ## GPO\_SRVISO This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following changes: -- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs granted permission include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers. +- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs-granted permissions include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers. >**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index f5b9e6802b..f920003a00 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,30 +1,32 @@ --- title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Server Isolation Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. -In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network. +In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide extra protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. These rules and regulations include a requirement to prevent interception of and access to the information when it is in transit over the network. -The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, are not considered sensitive for the purposes of the government regulations, because they are processed to remove sensitive elements before transmitting the data to the client devices. +The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, aren't considered sensitive for the purposes of the government regulations, because they're processed to remove sensitive elements before transmitting the data to the client devices. In this guide, the examples show server isolation layered on top of a domain isolation design. If you have an isolated domain, the client devices are already equipped with GPOs that require authentication. You only have to add settings to the isolated server(s) to require authentication on inbound connections, and to check for membership in the NAG. The connection attempt succeeds only if NAG membership is confirmed. @@ -34,7 +36,7 @@ Server isolation can also be deployed by itself, to only the devices that must p In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG. -If you do not have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you do not have an Active Directory domain, you cannot use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. +If you don't have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you don't have an Active Directory domain, you can't use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. ## Design requirements @@ -44,11 +46,11 @@ The following illustration shows the traffic protection needs for this design ex ![isolated server example.](images/wfas-design3example1.gif) -1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). +1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. These accounts include the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it's sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). 2. All network traffic to and from the SQL Server devices must be encrypted. -3. Client devices or users whose accounts are not members of the NAG cannot access the isolated servers. +3. Client devices or users whose accounts aren't members of the NAG can't access the isolated servers. **Other traffic notes:** @@ -62,12 +64,12 @@ Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolat As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all devices that run Windows were added to the correct groups. -- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they are using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS. +- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they're using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS. >**Note:**  You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.   -Network access groups (NAGs) are not used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server. +Network access groups (NAGs) aren't used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server. - **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers. @@ -75,8 +77,8 @@ Network access groups (NAGs) are not used to determine which GPOs are applied to >**Note:**  You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. -If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this, all the devices that are authorized to access the isolated server also have the required connection security rules. +If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this task, all the devices that are authorized to access the isolated server also have the required connection security rules. -You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption. +You don't have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contains connection security rules to support encryption. **Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index c9a669692f..5dc27f7b43 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,36 +1,38 @@ --- title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Server Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). -This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements. +This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have more security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. These restrictions and requirements can be done on a per-server basis, or for a group of servers that share common security requirements. -You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the devices that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and devices can access the isolated server are also used to determine which devices receive the GPO. +You can implement a server isolation design without using domain isolation. To do this implementation, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the devices that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and devices can access the isolated server are also used to determine which devices receive the GPO. The design is shown in the following illustration, with arrows that show the permitted communication paths. ![isolated domain with isolated server.](images/wfas-domainisohighsec.gif) -Characteristics of this design include the following: +Characteristics of this design include: - Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones. diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 2337344ccf..9796a30b9e 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -1,17 +1,23 @@ --- title: Troubleshooting UWP App Connectivity Issues in Windows Firewall description: Troubleshooting UWP App Connectivity Issues in Windows Firewall -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: - m365-security-compliance - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Troubleshooting UWP App Connectivity Issues @@ -25,7 +31,7 @@ This document guides you through steps to debug Universal Windows Platform (UWP UWP app network connectivity issues are typically caused by: -1. The UWP app was not permitted to receive loopback traffic. This must be configured. By default, UWP apps are not allowed to receive loopback traffic. +1. The UWP applications not being permitted to receive loopback traffic. This permission must be configured. By default, UWP applications aren't allowed to receive loopback traffic. 2. The UWP app is missing the proper capability tokens. 3. The private range is configured incorrectly. For example, the private range is set incorrectly through GP/MDM policies, etc. @@ -34,8 +40,7 @@ To understand these causes more thoroughly, there are several concepts to review The traffic of network packets (what's permitted and what’s not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP. -When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block -filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach. This ensures the application’s granular access to each resource type and preventing the application from escaping its environment. +When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet doesn't match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that doesn't have the correct capabilities for the resource it's trying to reach. Such a packet drop ensures the application’s granular access to each resource type and preventing the application from escaping its environment. For more information on the filter arbitration algorithm and network isolation, see [Filter @@ -53,13 +58,13 @@ traces collected on previous releases of Windows. If you need to establish a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. -To enable loopback for client outbound connections, run the following at a command prompt: +To enable loopback for client outbound connections, run the following command at a command prompt: ```console CheckNetIsolation.exe LoopbackExempt -a -n= ``` -To enable loopback for server inbound connections, run the following at a +To enable loopback for server inbound connections, run the following command at a command prompt: ```console CheckNetIsolation.exe LoopbackExempt -is -n= @@ -77,9 +82,9 @@ Also, see [How to enable loopback and troubleshoot network isolation (Windows Ru ## Debugging Live Drops -If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands. +If the issue happened recently, but you find you aren't able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands. -If you can consistently reproduce the issue, then you can run the following in an admin command prompt to gather a fresh trace: +If you can consistently reproduce the issue, then you can run the following command in an admin command prompt to gather a fresh trace: ```console Netsh wfp capture start keywords=19 @@ -89,7 +94,7 @@ Netsh wfp capture stop These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without “keywords=19”, the trace will only collect drop netEvents. -Inside the wfpdiag.xml, search for netEvents which have +Inside the wfpdiag.xml, search for netEvents that have FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name. The characters in the application ID name will be separated by periods: @@ -110,11 +115,11 @@ The netEvent will have more information about the packet that was dropped includ In this example, the UWP app successfully connects to bing.com [2620:1ec:c11::200]. -A packet from a UWP app needs the correct networking capability token for the resource it is trying to reach. +A packet from a UWP app needs the correct networking capability token for the resource it's trying to reach. In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token. -The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address, +The following code shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address, remote address, capabilities, etc. **Classify Allow netEvent, Wfpdiag-Case-1.xml** @@ -285,7 +290,7 @@ allowed by Filter #125918, from the InternetClient Default Rule. ``` -This is the condition for checking capabilities in this filter. +This condition enables checking capabilities in this filter. The important part of this condition is **S-1-15-3-1**, which is the capability SID for **INTERNET_CLIENT** privileges. @@ -298,7 +303,7 @@ capabilities from netEvent, Wfpdiag-Case-1.xml. FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK ``` -This shows the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the +These capabilities show the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the filter. All the other conditions are also met for the filter, so the packet is allowed. @@ -306,12 +311,12 @@ Something to note is that the only capability token required for the packet to reach bing.com was the Internet client token, even though this example showed the packet having all capabilities. -## Case 2: UWP APP cannot reach Internet target address and has no capabilities +## Case 2: UWP APP can't reach Internet target address and has no capabilities In this example, the UWP app is unable to connect to bing.com [2620:1ec:c11::200]. -The following is a drop netEvent that was captured in the trace. +The following example is that of a drop netEvent that was captured in the trace. **Classify Drop netEvent, Wfpdiag-Case-2.xml** ```xml @@ -384,7 +389,7 @@ The following is a drop netEvent that was captured in the trace. ``` The first thing that you should check in the **netEvent** is the capabilities field. In this example, the capabilities field is empty, indicating that the -UWP app was not configured with any capability tokens to allow it to connect to +UWP app wasn't configured with any capability tokens to allow it to connect to a network. **Internal Fields from netEvent, Wfpdiag-Case-2.xml** @@ -478,11 +483,11 @@ the same sublayer. If the packet had the correct capability token, **FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a -non-default block filter and would have been permitted to reach bing.com. +non-default block filter, and would have been permitted to reach bing.com. Without the correct capability tokens, the packet will be explicitly dropped by a default block outbound filter. -## Case 3: UWP app cannot reach Internet target address without Internet Client capability +## Case 3: UWP app can't reach Internet target address without Internet Client capability In this example, the app is unable to connect to bing.com [2620:1ec:c11::200]. @@ -562,10 +567,10 @@ only has a private network token. Therefore, the packet will be dropped. ``` -## Case 4: UWP app cannot reach Intranet target address without Private Network capability +## Case 4: UWP app can't reach Intranet target address without Private Network capability In this example, the UWP app is unable to reach the Intranet target address, -10.50.50.50, because it does not have a Private Network capability. +10.50.50.50, because it doesn't have a Private Network capability. **Classify Drop netEvent, Wfpdiag-Case-4.xml** ```xml @@ -639,7 +644,7 @@ In this example, the UWP app is unable to reach the Intranet target address, ``` -## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability +## Case 5: UWP app can't reach “Intranet” target address with Private Network capability In this example, the UWP app is unable to reach the Intranet target address, 10.1.1.1, even though it has a Private Network capability token. @@ -764,7 +769,7 @@ If the target was in the private range, then it should have been allowed by a PrivateNetwork Outbound Default Rule filter. The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address, -10.1.1.1, is not included in these filters it becomes clear that the address is not in the private range. Check the policies that configure the private range +10.1.1.1, isn't included in these filters it becomes clear that the address isn't in the private range. Check the policies that configure the private range on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach. **PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** @@ -1003,13 +1008,13 @@ on the device (MDM, Group Policy, etc.) and make sure it includes the private ta ``` ## Debugging Past Drops -If you are debugging a network drop from the past or from a remote machine, you +If you're debugging a network drop from the past or from a remote machine, you may have traces already collected from Feedback Hub, such as nettrace.etl and wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the netEvents of the reproduced event, and wfpstate.xml will contain the filters that were present on the machine at the time. -If you do not have a live repro or traces already collected, you can still +If you don't have a live repro or traces already collected, you can still collect traces after the UWP network connectivity issue has happened by running these commands in an admin command prompt @@ -1023,27 +1028,26 @@ these commands in an admin command prompt net events. **Netsh wfp show state** creates wfpstate.xml, which contains the current filters present on the machine. -Unfortunately, collecting traces after the UWP network connectivity issue is not -always reliable. +Unfortunately, collecting traces after the UWP network connectivity issue isn't always reliable. NetEvents on the device are stored in a buffer. Once that buffer has reached maximum capacity, the buffer will overwrite older net events. Due to the buffer -overwrite, it is possible that the collected netevents.xml will not contain the +overwrite, it's possible that the collected netevents.xml won't contain the net event associated with the UWP network connectivity issue. It could have been ov overwritten. Additionally, filters on the device can get deleted and re-added with different filterIds due to miscellaneous events on the device. Because of -this, a **filterId** from **netsh wfp show netevents** may not necessarily match any +these implications, a **filterId** from **netsh wfp show netevents** may not necessarily match any filter in **netsh wfp show state** because that **filterId** may be outdated. If you can reproduce the UWP network connectivity issue consistently, we recommend using the commands from Debugging Live Drops instead. Additionally, you can still follow the examples from Debugging Live Drops -section using the trace commands in this section, even if you do not have a live +section using the trace commands in this section, even if you don't have a live repro. The **netEvents** and filters are stored in one file in Debugging Live Drops as opposed to two separate files in the following Debugging Past Drops examples. -## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities +## Case 7: Debugging Past Drop - UWP app can't reach Internet target address and has no capabilities In this example, the UWP app is unable to connect to bing.com. @@ -1118,12 +1122,12 @@ Classify Drop Net Event, NetEvents-Case-7.xml ``` -The Internal fields lists no active capabilities, and the packet is dropped at +The Internal fields list no active capabilities, and the packet is dropped at filter 206064. -This is a default block rule filter, meaning the packet passed through every -filter that could have allowed it, but because conditions didn’t match for any -those filters, the packet fell to the filter which blocks any packet that the +This filter is a default block rule filter, meaning the packet passed through every +filter that could have allowed it, but because conditions didn’t match for any of +those filters, the packet fell to the filter that blocks any packet that the Security Descriptor doesn’t match. **Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml** diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 64a55b790e..72d9d7fa43 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,24 +1,26 @@ --- title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index dd58d0c8d0..e924d932ea 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -3,14 +3,20 @@ title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Understanding the Windows Defender Firewall with Advanced Security Design Process diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 0c11ed522b..9359451826 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,32 +1,34 @@ --- title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Verify That Network Traffic Is Authenticated -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. +After you've configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. -In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you are working on: +In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you're working on: -- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications. +- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules aren't working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm isn't included in a security method combination on the clients, then those clients can't successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they're working as expected without risking a loss of communications. -- **Boundary zone.** Confirming correct operation of IPsec is the last step if you are working on the boundary zone GPO. You do not convert the GPO to require mode at any time. +- **Boundary zone.** Confirming correct operation of IPsec is the last step if you're working on the boundary zone GPO. You don't convert the GPO to require mode at any time. - **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode. @@ -52,7 +54,7 @@ console. 2. In the **Available columns** list, select **Rule Source**, and then click **Add**. - 3. Use the **Move up** and **Move down** buttons to rearrange the order. Click **OK** when you are finished. + 3. Use the **Move up** and **Move down** buttons to rearrange the order. Click **OK** when you're finished. It can take a few moments for the list to be refreshed with the newly added column. @@ -63,7 +65,7 @@ console. The current list of main mode associations that have been negotiated with other devices appears in the details column. -6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association. +6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with more details about the security association. 7. In the navigation pane, click **Quick mode**. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index c89e65cba2..14a6de27f4 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -3,24 +3,26 @@ title: Windows Defender Firewall with Advanced Security Administration with Wind description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. +The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them. @@ -32,11 +34,11 @@ Windows PowerShell and netsh command references are at the following locations. ## Scope -This guide does not teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide. +This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide. ## Audience and user requirements -This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell. +This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell. ## In this topic @@ -47,7 +49,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and | [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`| | [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters| | [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation| -| [Additional resources](#additional-resources) | More information about Windows PowerShell| +| [Other resources](#other-resources) | More information about Windows PowerShell| ## Set profile global defaults @@ -55,7 +57,7 @@ Global defaults set the device behavior in a per-profile basis. Windows Defender ### Enable Windows Defender Firewall with Advanced Security -Windows Defender Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Defender Firewall. Here is how to do this on a local domain device: +Windows Defender Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't being enforced, you may need to enable Windows Defender Firewall. Here's how to enable Windows Defender Firewall on a local domain device: **Netsh** @@ -92,7 +94,7 @@ Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow ### Disable Windows Defender Firewall with Advanced Security -Microsoft recommends that you do not disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). +Microsoft recommends that you don't disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). Disabling Windows Defender Firewall with Advanced Security can also cause problems, including: @@ -103,15 +105,15 @@ Disabling Windows Defender Firewall with Advanced Security can also cause proble Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed. -If disabling Windows Defender Firewall is required, do not disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). -Stopping the Windows Defender Firewall service is not supported by Microsoft. +If disabling Windows Defender Firewall is required, don't disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). +Stopping the Windows Defender Firewall service isn't supported by Microsoft. Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility. -You should not disable the firewall yourself for this purpose. +You shouldn't disable the firewall yourself for this purpose. The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running. -Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**. +Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**. For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md). The following example disables Windows Defender Firewall for all profiles. @@ -128,7 +130,7 @@ This section provides scriptlet examples for creating, modifying, and deleting f Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently. -Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately. +Here's an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately. **Netsh** @@ -142,7 +144,7 @@ Windows PowerShell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow ``` -The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and this remains in effect until the Netsh session is ended or until another set store command is executed. +The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and the execution remains in effect until the Netsh session is ended or until another set store command is executed. Here, **domain.contoso.com** is the name of your Active Directory Domain Services (AD DS), and **gpo\_name** is the name of the GPO that you want to modify. Quotation marks are required if there are any spaces in the GPO name. @@ -163,7 +165,7 @@ New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound To reduce the burden on busy domain controllers, Windows PowerShell allows you to load a GPO to your local session, make all your changes in that session, and then save it back at all once. -The following performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so leveraging GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter are not supported in Netsh +The following command performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so by applying GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter aren't supported in Netsh Windows PowerShell @@ -173,11 +175,11 @@ New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound Save-NetGPO –GPOSession $gpo ``` -Note that this does not batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes. +This command doesn't batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes. ### Modify an existing firewall rule -When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter). +When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell, this identifier is specified with the *-Name* parameter). For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule. @@ -193,11 +195,11 @@ Windows PowerShell Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2 ``` -Netsh requires you to provide the name of the rule for it to be changed and we do not have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties. +Netsh requires you to provide the name of the rule for it to be changed and we don't have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties. -When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports do not appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you will need to get the filter objects themselves. +When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports don't appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you'll need to get the filter objects themselves. -You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell you query by port using the port filter, then assuming additional rules exist affecting the local port, you build with further queries until your desired rule is retrieved. +You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell, you query by port using the port filter, then assuming other rules exist affecting the local port, you build with further queries until your desired rule is retrieved. In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell’s ability to pipeline inputs. @@ -217,7 +219,7 @@ Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule Multiple rules in a group can be simultaneously modified when the associated group name is specified in a Set command. You can add firewall rules to specified management groups in order to manage multiple rules that share the same influences. -In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group is not possible in Netsh. +In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group isn't possible in Netsh. Windows PowerShell @@ -226,7 +228,7 @@ New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound - New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” ``` -If the group is not specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You cannot specify the group using `Set-NetFirewallRule` since the command allows querying by rule group. +If the group isn't specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You can't specify the group using `Set-NetFirewallRule` since the command allows querying by rule group. Windows PowerShell @@ -236,7 +238,7 @@ $rule.Group = “Telnet Management” $rule | Set-NetFirewallRule ``` -Using the `Set` command, if the rule group name is specified, the group membership is not modified but rather all rules of the group receive the same modifications indicated by the given parameters. +With the help of the `Set` command, if the rule group name is specified, the group membership isn't modified but rather all rules of the group receive the same modifications indicated by the given parameters. The following scriptlet enables all rules in a predefined group containing remote management influencing firewall rules. @@ -252,7 +254,7 @@ Windows PowerShell Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True ``` -There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule. +There's also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule. Windows PowerShell @@ -262,7 +264,7 @@ Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Managem ### Delete a firewall rule -Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device. +Rule objects can be disabled so that they're no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This cmdlet is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device. The following cmdlet deletes the specified existing firewall rule from the local policy store. @@ -286,7 +288,7 @@ Windows PowerShell Remove-NetFirewallRule –Action Block ``` -Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules. +It may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules. Windows PowerShell @@ -308,7 +310,7 @@ Windows PowerShell Get-NetFirewallRule –CimSession RemoteDevice ``` -We can perform any modifications or view rules on remote devices by simply using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device. +We can perform any modifications or view rules on remote devices by using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device. Windows PowerShell @@ -373,7 +375,7 @@ New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecur A corporate network may need to secure communications with another agency. But, you discover the agency runs non-Windows operating systems and requires the use of the Internet Key Exchange Version 2 (IKEv2) standard. -You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying IKEv2 as the key module in an IPsec rule. This can only be done using computer certificate authentication and cannot be used with phase 2 authentication. +You can apply IKEv2 capabilities in Windows Server 2012 by specifying IKEv2 as the key module in an IPsec rule. This capability specification can only be done using computer certificate authentication and can't be used with phase-2 authentication. Windows PowerShell @@ -387,9 +389,9 @@ For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec C Firewall and IPsec rules with the same rule properties can be duplicated to simplify the task of re-creating them within different policy stores. -To copy the previously created rule from one policy store to another, the associated objects must be also be copied separately. Note that there is no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets. +To copy the previously created rule from one policy store to another, the associated objects must also be copied separately. There's no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets. -Copying individual rules is a task that is not possible through the Netsh interface. Here is how you can accomplish it with Windows PowerShell. +Copying individual rules is a task that isn't possible through the Netsh interface. Here's how you can accomplish it with Windows PowerShell. Windows PowerShell @@ -401,7 +403,7 @@ $Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name ### Handling Windows PowerShell errors -To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you will notice that it fails if the rule is not found. When removing rules, if the rule isn’t already there, it is generally acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation. +To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn’t already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation. Windows PowerShell @@ -409,7 +411,7 @@ Windows PowerShell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue ``` -Note that the use of wildcards can also suppress errors, but they could potentially match rules that you did not intend to remove. This can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors. +The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors. Windows PowerShell @@ -445,7 +447,7 @@ Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose The following Windows PowerShell commands are useful in the update cycle of a deployment phase. -To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles. +To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command doesn't show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles. **Netsh** @@ -477,7 +479,7 @@ Get-NetIPsecMainModeSA ### Find the source GPO of a rule -To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can to determine which policy store a rule originates from. +To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can determine which policy store a rule originates from. For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *–TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field. @@ -487,13 +489,13 @@ Windows PowerShell Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore ``` -It is important to note that the revealed sources do not contain a domain name. +It's important to note that the revealed sources don't contain a domain name. ### Deploy a basic domain isolation policy IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object. -To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain-joined devices from devices that are not joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic. +To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that isn't protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this authentication, you can isolate domain-joined devices from devices that aren't joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic. **Netsh** @@ -512,7 +514,7 @@ New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile D ### Configure IPsec tunnel mode -The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3. +The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it's encrypted by using ESP/DES3. **Netsh** @@ -534,7 +536,7 @@ In situations where only secure traffic can be allowed through the Windows Defen ### Create a secure firewall rule (allow if secure) -Configuring firewalls rule to allow connections if they are secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec. +Configuring firewalls rule to allow connections if they're secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec. The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule. @@ -575,7 +577,7 @@ New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -Inbound To improve the security of the devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain. -IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping. +IPsec can provide this extra layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping. ### Create a firewall rule that requires group membership and encryption @@ -607,7 +609,7 @@ $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)" For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730940(v=technet.10)). -Telnet is an application that does not provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application. +Telnet is an application that doesn't provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This firewall rule is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application. In this example, we allow only authenticated and encrypted inbound Telnet traffic from a specified secure user group through the creation of the following firewall rule. @@ -638,7 +640,7 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr ### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass) -Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)). +Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This override is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)). In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group. @@ -655,7 +657,7 @@ Windows PowerShell New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation ``` -## Additional resources +## Other resources For more information about Windows PowerShell concepts, see the following topics. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index fbb11692e8..b2d5a9b049 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,24 +1,26 @@ --- title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security deployment overview -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. @@ -30,7 +32,7 @@ This guide is intended for use by system administrators and system engineers. It Begin by reviewing the information in [Planning to Deploy Windows Defender Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md). -If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. +If you haven't yet selected a design, we recommend that you wait to follow the instructions in this guide until after you've reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide: @@ -46,11 +48,11 @@ Use the checklists in [Implementing Your Windows Defender Firewall with Advanced > [!CAUTION] > We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. -In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded. +In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this creation of accounts can result in network connectivity problems if network protocol limits are exceeded.   -## What this guide does not provide +## What this guide doesn't provide -This guide does not provide: +This guide doesn't provide: - Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Defender Firewall with Advanced Security Design Guide. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 623503499e..b23f7bc963 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,28 +1,30 @@ --- title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security design guide -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. +Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't authenticate can't communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. -The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. +The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. For more overview information, see [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md). @@ -32,25 +34,25 @@ This guide provides recommendations to help you to choose or create a design for This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals. -Windows Defender Firewall should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules. +Windows Defender Firewall should be part of a comprehensive security solution that implements various security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules. To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory. -You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here: +You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those goals presented here: - **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized. -- **Domain isolation policy design**. Prevents devices that are domain members from receiving unsolicited network traffic from devices that are not domain members. Additional "zones" can be established to support the special requirements of some devices, such as: +- **Domain isolation policy design**. Prevents devices that are domain members from receiving unsolicited network traffic from devices that aren't domain members. More "zones" can be established to support the special requirements of some devices, such as: - A "boundary zone" for devices that must be able to receive requests from non-isolated devices. - An "encryption zone" for devices that store sensitive data that must be protected during network transmission. -- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and devices. Commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices. +- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and devices. This server can be commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices. -- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution. +- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This design enables devices that aren't part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution. -In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide. +In addition to descriptions and example for each design, you'll find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide. You can find the Windows Defender Firewall with Advanced Security Deployment Guide at these locations: @@ -67,7 +69,7 @@ Deployment Guide at these locations: | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. | | [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. | | [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. | -| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. | +| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you've gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. | | [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). | ## Terminology used in this guide @@ -78,19 +80,19 @@ The following table identifies and defines terms used throughout this guide. | - | - | | Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. | | Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.| -| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that are not members of the isolated domain. Devices in the boundary zone request but do not require authentication. They use IPsec to communicate with other devices in the isolated domain.| -| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.| -| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| -| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| +| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that aren't members of the isolated domain. Devices in the boundary zone request but don't require authentication. They use IPsec to communicate with other devices in the isolated domain.| +| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this rule was called an *IPsec rule*.| +| Certificate-based isolation | A way to add devices that can't use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that can't use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| +| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that can't authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| | Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| | Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
                                By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | | Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| | IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| | Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
                                In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| -| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.| +| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The extra protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.| | Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.| -| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. | -| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
                                This is not related to the term zone as used by Domain Name System (DNS). | +| Unsolicited network traffic | Network traffic that isn't a response to an earlier request, and that the receiving device can't necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. | +| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
                                This term zone isn't related to the one used by Domain Name System (DNS). | **Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 966c5e4a6a..dc08cf7455 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -3,31 +3,33 @@ title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: m365-security ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: +ms.reviewer: jekrynit ms.custom: asr ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above -This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. +This topic is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ## Overview of Windows Defender Firewall with Advanced Security -Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. +Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't be authenticated as a trusted device can't communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. -The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. +The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. @@ -40,9 +42,9 @@ Windows Defender Firewall with Advanced Security is an important part of a layer To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits: -- **Reduces the risk of network security threats.**  Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. +- **Reduces the risk of network security threats.**  Windows Defender Firewall reduces the attack surface of a device, providing an extra layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. - **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. -- **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). +- **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index be77c53fd5..7d809b3599 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -19,9 +19,9 @@ Windows Sandbox benefits from new container technology in Windows to achieve a c ## Dynamically generated image -Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host. +Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology uses the copy of Windows already installed on the host. -Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows. +Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and can't be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. With the help of this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an extra copy of Windows. Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space. @@ -35,7 +35,7 @@ Traditional VMs apportion statically sized allocations of host memory. When reso ## Memory sharing -Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. +Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. ![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png) @@ -45,7 +45,7 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling ![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png) -Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container. +Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work will be prioritized, whether it's on the host or in the container. ## WDDM GPU virtualization diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 94adc3d7c8..c4b16514e9 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -21,7 +21,7 @@ A configuration file enables the user to control the following aspects of Window - **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP). - **Networking**: Enable or disable network access within the sandbox. -- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data. +- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories may allow malicious software to affect the system or steal data. - **Logon command**: A command that's executed when Windows Sandbox starts. - **Audio input**: Shares the host's microphone input into the sandbox. - **Video input**: Shares the host's webcam input into the sandbox. @@ -32,9 +32,9 @@ A configuration file enables the user to control the following aspects of Window ## Creating a configuration file -To create a simple configuration file: +To create a configuration file: -1. Open a plain text editor or source code editor (e.g. Notepad, Visual Studio Code, etc.) +1. Open a plain text editor or source code editor (for example, Notepad, Visual Studio Code, etc.) 2. Insert the following lines: ```XML @@ -43,7 +43,7 @@ To create a simple configuration file: ``` 3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below. -4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, e.g. `"My config file.wsb"`. +4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`. ## Using a configuration file @@ -65,7 +65,7 @@ Supported values: - *Enable*: Enables vGPU support in the sandbox. - *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU. -- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled. +- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled. > [!NOTE] > Enabling virtualized GPU can potentially increase the attack surface of the sandbox. @@ -78,14 +78,14 @@ Enables or disables networking in the sandbox. You can disable network access to Supported values: - *Disable*: Disables networking in the sandbox. -- *Default*: This is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. +- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. > [!NOTE] > Enabling networking can expose untrusted applications to the internal network. ### Mapped folders -An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop. +An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder will be mapped to the container user's desktop. ```xml @@ -100,7 +100,7 @@ An array of folders, each representing a location on the host machine that will ``` -*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host, or the container will fail to start. +*HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container will fail to start. *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop. @@ -112,7 +112,7 @@ An array of folders, each representing a location on the host machine that will ### Logon command -Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. +Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an administrator account. ```xml @@ -120,7 +120,7 @@ Specifies a single command that will be invoked automatically after the sandbox ``` -*Command*: A path to an executable or script inside the container that will be executed after login. +*Command*: A path to an executable or script inside the container that will be executed after signing in. > [!NOTE] > Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive. @@ -134,7 +134,7 @@ Enables or disables audio input to the sandbox. Supported values: - *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability. - *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. -- *Default*: This is the default value for audio input support. Currently this means audio input is enabled. +- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. > [!NOTE] > There may be security implications of exposing host audio input to the container. @@ -148,21 +148,21 @@ Enables or disables video input to the sandbox. Supported values: - *Enable*: Enables video input in the sandbox. - *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox. -- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox. +- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox. > [!NOTE] > There may be security implications of exposing host video input to the container. ### Protected client -Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface. +Applies more security settings to the sandbox Remote Desktop client, decreasing its attack surface. `value` Supported values: - *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled. - *Disable*: Runs the sandbox in standard mode without extra security mitigations. -- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode. +- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode. > [!NOTE] > This setting may restrict the user's ability to copy/paste files in and out of the sandbox. @@ -176,7 +176,7 @@ Enables or disables printer sharing from the host into the sandbox. Supported values: - *Enable*: Enables sharing of host printers into the sandbox. - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. -- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled. +- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled. ### Clipboard redirection @@ -186,7 +186,7 @@ Enables or disables sharing of the host clipboard with the sandbox. Supported values: - *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. -- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*. +- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. ### Memory in MB @@ -197,7 +197,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB). If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. ## Example 1 -The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. +The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. ### Downloads.wsb diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index ec43ba1f84..e42fab8ddb 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -60,13 +60,15 @@ The following video provides an overview of Windows Sandbox. 3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2. + If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2. > [!NOTE] > To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**. 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. + > [!NOTE] + > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually. ## Usage 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index 42b2cb57a7..5e0c376121 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -17,7 +17,7 @@ ms.technology: windows-sec **What is the Microsoft Security Compliance Manager (SCM)?** -The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO Backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. +The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO Backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). @@ -32,7 +32,7 @@ Any version of Windows baseline before Windows 10 1703 can still be downloaded u **What file formats are supported by the new SCT?** -The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported. +The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported. **Does SCT support Desired State Configuration (DSC) file format?** @@ -44,7 +44,7 @@ No. A potential alternative is Desired State Configuration (DSC), a feature of t **Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?** -No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support. +No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit likewise doesn't include SCAP support.
                                diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index f1ca17ad61..1a2434ffeb 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -54,7 +54,7 @@ The Security Compliance Toolkit consists of: - GPO to Policy Rules -You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/). +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/). ## What is the Policy Analyzer tool? @@ -64,7 +64,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic - Compare GPOs against current local policy and local registry settings - Export results to a Microsoft Excel spreadsheet -Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. +Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/new-tool-policy-analyzer) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). @@ -72,7 +72,7 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. -LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. +LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 18cb5242f6..ec95bffc72 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -15,68 +15,66 @@ ms.technology: windows-sec # Security baselines +## Using security baselines in your organization -## Using security baselines in your organization - -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft 365 apps for enterprise and Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft 365 apps for enterprise and Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. -We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. +We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This industry-standard configuration helps increase flexibility and reduce costs. -Here is a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions). +For more information, see the following blog post: [Sticking with well-known and proven solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions). -## What are security baselines? +## What are security baselines? -Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. +Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. -A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. +A security baseline is a group of Microsoft-recommended configuration settings that explains their security implication. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. -## Why are security baselines needed? +## Why are security baselines needed? -Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. +Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. -For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting. +For example, there are over 3,000 group policy settings for Windows 10, which doesn't include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security implication of each setting on your own. Then, you would still need to determine the appropriate value for each setting. -In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups. +In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups. ## Baseline principles + Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially: -- The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights. -- A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate. -- A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user: - - If a non-administrator can set an insecure state, enforce the default. - - If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly. -## How can you use security baselines? +- The baselines are designed for well-managed, security-conscious organizations in which standard end users don't have administrative rights. +- A baseline enforces a setting only if it mitigates a contemporary security threat and doesn't cause operational issues that are worse than the risks they mitigate. +- A baseline enforces a default only if it's otherwise likely to be set to an insecure state by an authorized user: + - If a non-administrator can set an insecure state, enforce the default. + - If setting an insecure state requires administrative rights, enforce the default only if it's likely that a misinformed administrator will otherwise choose poorly. -You can use security baselines to: -- Ensure that user and device configuration settings are compliant with the baseline. -- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. +## How can you use security baselines? -## Where can I get the security baselines? +You can use security baselines to: + +- Ensure that user and device configuration settings are compliant with the baseline. +- Set configuration settings. For example, you can use group policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. + +## Where can I get the security baselines? There are several ways to get and use security baselines: -1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md) +1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The SCT also includes tools to help you manage the security baselines. You can also [get support for the security baselines](get-support-for-security-baselines.md) -2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. +2. [Mobile device management (MDM) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool. -3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all). +3. MDM security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all). ## Community [![Microsoft Security Guidance Blog.](./../images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) -## Related Videos +## Related videos -You may also be interested in this msdn channel 9 video: -- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO) +> [!VIDEO https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo] -## See Also +## See also -- [Microsoft Endpoint Configuration Manager](/configmgr/) -- [Azure Monitor](/azure/azure-monitor/) -- [Microsoft Security Guidance Blog](/archive/blogs/secguide/) -- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Security Guidance Blog](/archive/blogs/secguide/) +- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index a0e24a1035..409613d466 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -25,7 +25,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. -As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it's trusted by the Secure Boot policy and hasn’t been tampered with. ## Trusted Boot diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index f042c1d12b..4cea2b5834 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -25,11 +25,11 @@ The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) princip The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources. -[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources. +[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources. -Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. +Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. -Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources. +Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources. ## Device health attestation on Windows Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: @@ -38,23 +38,23 @@ Attestation helps verify the identity and status of essential components and tha - If the operating system booted correctly - If the OS has the right set of security features enabled -These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with. +These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with. -Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. A summary of the steps involved in attestation and Zero Trust on the device side are as follows: 1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. -2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service. +2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service. 3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). 4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. -5. The attestation service does the following: +5. The attestation service does the following tasks: - - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log. + - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log. - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM. - Verify that the security features are in the expected states. diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md deleted file mode 100644 index 77dfd79528..0000000000 --- a/windows/whats-new/contribute-to-a-topic.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Edit an existing topic using the Edit link -description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com. -ms.prod: w10 -ms.date: 10/13/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp -author: dansimp -ms.topic: tutorial ---- - -# Editing existing Windows IT professional documentation -You can make suggestions and update existing, public content with just a GitHub account and a simple click of a link. You can use GitHub pull requests to edit the technical articles in the Windows IT libraries and then ask us to "pull" your changes into the published articles. - ->[!NOTE] ->At this time, you can only edit the English (en-us) content. - -Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner of an article, you can suggest changes to it. You can specifically edit articles in the following libraries: - -- [Windows 10](/windows/windows-10) -- [Windows Server](/windows-server/) -- [Microsoft Edge](/microsoft-edge/deploy) -- [Surface](/surface) -- [Surface Hub](/surface-hub) -- [HoloLens](/hololens) -- [Microsoft Store](/microsoft-store) -- [Windows 10 for Education](/education/windows) -- [Windows 10 for SMB](/windows/smb) -- [Internet Explorer 11](/internet-explorer) -- [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack) - - -**To edit a topic** - -1. Go to the article that you want to update, and then click **Edit**. - - ![GitHub Web, showing the Edit link.](images/contribute-link.png) - -2. Sign into (or sign up for) a GitHub account. - - You must have a GitHub account to get to the page that lets you edit a topic. - -3. Click the **Pencil** icon (in the red box) to edit the content. - - ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) - -4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) - - - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) - -5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - - ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) - -6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**. - - ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) - - The **Comparing changes** screen shows the changes between your version of the article and the original content. - -7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. (Occasionally there are merge conflicts, where you've edited the file one way, while someone else edited the same lines in the same file in a different way. Before you can propose your changes, you need to fix those conflicts.) - - If there are no problems, you’ll see the message, **Able to merge**. - - ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) - -8. Click **Create pull request**. - -9. Enter a title and description to let us know what’s in the request. - -10. Scroll to the bottom of the page, and make sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people. - -11. Click **Create pull request** again to actually submit your edits. - -12. If you aren't a Microsoft employee, you need to [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories. A bot running in GitHub checks whether you've signed the CLA - if not, you'll be prompted, in the pull request, to sign it. - - If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step. - -Next, the pull request is sent to one of our writers to review your edits for technical and editorial accuracy. If we have any suggestions or questions, we'll add them to the pull request where we can discuss them with you. If we accept your edits, you'll see your changes the next time the article is published. \ No newline at end of file diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 051b32e193..19bd51f371 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/**/*.png", "**/**/*.jpg", + "**/*.svg", "**/**/*.gif" ], "exclude": [ @@ -39,7 +40,7 @@ "audience": "ITPro", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-whats-new", diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 6e75a1fb9f..94de09d07a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -21,7 +21,7 @@ This article lists new and updated features and content that are of interest to ### Provisioning devices using Windows Imaging and Configuration Designer (ICD) -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. An IT administrator who uses Windows Provisioning can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. [Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) @@ -33,7 +33,7 @@ AppLocker was available for Windows 8.1, and is improved with Windows 10. See [R Enhancements to AppLocker in Windows 10 include: -- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**. - A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server. [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -42,7 +42,7 @@ Enhancements to AppLocker in Windows 10 include: Enhancements to AppLocker in Windows 10 include: -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online. - **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. - **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." @@ -67,10 +67,10 @@ In Windows 10, security auditing has added some improvements: #### New audit subcategories In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event. - [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play. A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs is included in the event. #### More info added to existing audit events @@ -86,20 +86,20 @@ With Windows 10, version 1507, we've added more info to existing audit events to #### Changed the kernel default audit policy -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve information in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts. #### Added a default process SACL to LSASS.exe -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This process-when enabled-can help identify attacks that steal credentials from the memory of a process. -#### New fields in the logon event +#### New fields in the sign-in event -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: 1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. + If the account that signed in to the PC is a computer account, this field will be yes. Otherwise, the field is no. 2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. + If an account has signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown. 3. **TargetOutboundUserName** String **TargetOutboundUserDomain** String The username and domain of the identity that was created by the LogonUser method for outbound traffic. @@ -113,7 +113,7 @@ The logon event ID 4624 has been updated to include more verbose information to #### New fields in the process creation event -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: 1. **TargetUserSid** String The SID of the target principal. 2. **TargetUserName** String @@ -121,7 +121,7 @@ The logon event ID 4688 has been updated to include more verbose information to 3. **TargetDomainName** String The domain of the target user. 4. **TargetLogonId** String - The logon ID of the target user. + The sign-in ID of the target user. 5. **ParentProcessName** String The name of the creator process. 6. **ParentProcessId** String @@ -187,7 +187,7 @@ Some things that you can check on the device are: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. +You shouldn't turn off UAC because such a setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10. For more info about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). @@ -267,15 +267,15 @@ Administrators can also use mobile device management (MDM) or Group Policy to di Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: +By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient. - **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security). -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr). +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr). Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). @@ -284,7 +284,7 @@ For more information about updating Windows 10, see [Windows 10 servicing option ## Microsoft Edge -The new chromium-based Microsoft Edge is not included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download). +The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download). ## See Also diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 7ee18df927..74fe44632b 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -24,7 +24,7 @@ This article lists new and updated features and content that are of interest to ### Windows Imaging and Configuration Designer (ICD) -In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) Windows ICD now includes simplified workflows for creating provisioning packages: @@ -39,9 +39,9 @@ Windows ICD now includes simplified workflows for creating provisioning packages >[!IMPORTANT] >Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release. -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. Use Upgrade Readiness to get: @@ -65,9 +65,9 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it ### Windows Hello for Business -When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. +When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. -Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: +Other changes for Windows Hello in Windows 10 Enterprise LTSC 2016: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. @@ -79,7 +79,7 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: #### New BitLocker features -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. It provides the following benefits: - The algorithm is FIPS-compliant. - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. @@ -116,7 +116,7 @@ Several new features and management options have been added to Windows Defender - [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media. - [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware. - [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. - [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. @@ -130,7 +130,7 @@ With the growing threat from more sophisticated targeted attacks, a new security ### VPN security - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. -- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) - Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). @@ -156,7 +156,7 @@ This version of Windows 10, introduces shared PC mode, which optimizes Windows 1 Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. -With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. [Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) @@ -164,15 +164,15 @@ With the release of this version of Windows 10, App-V is included with the Windo Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to. -With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. [Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) ## Microsoft Edge -The new chromium-based Microsoft Edge is not included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download). +The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download). ## See Also diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index a5e9788ba1..d71d316113 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -71,7 +71,7 @@ But these protections can also be configured separately. And, unlike HVCI, code ### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. +Endpoint detection and response are improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). @@ -366,7 +366,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with ### Privacy -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app. +In the Feedback and Settings page under Privacy Settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app. ## Configuration diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index e91667cc1a..d79885ad46 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -36,7 +36,7 @@ For more information about the lifecycle for this release, see [The next Windows ### System Guard -[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets. +[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code can't access the OS memory and secrets. In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO. @@ -64,17 +64,17 @@ Windows Defender Firewall now offers the following benefits: **Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. -**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). +**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). -The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. +The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. -Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools. +Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enhancement enables analysis of firewall behavior and rich packet capture without relying on other tools. Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97). ### Virus and threat protection -[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. +[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses. [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. @@ -82,11 +82,11 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)]( **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. -**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. +**Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected. **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. -**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. +**Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies. **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR). @@ -103,19 +103,19 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)]( [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. To try this extension: 1. Configure Application Guard policies on your device. 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. - 3. Follow any additional configuration steps on the extension setup page. + 3. Follow any of the other configuration steps on the extension setup page. 4. Reboot the device. 5. Navigate to an untrusted site in Chrome and Firefox. **Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. Application Guard performance is improved with optimized document opening times: -- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. +- An issue is fixed that could cause a one-minute-or-more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This issue can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. - A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle. - The performance of Robocopy is improved when copying files over 400 MB in size. @@ -125,12 +125,12 @@ Application Guard performance is improved with optimized document opening times: ### Application Control -[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added a number of new features that light up key scenarios and provide feature parity with AppLocker. +[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added many new features that light up key scenarios and provide feature parity with AppLocker. - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. - - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                                - This brings Windows Defender Application Control (WDAC) to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. - - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for unknown admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
                                + This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker. + - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. ## Identity and privacy @@ -138,12 +138,12 @@ Application Guard performance is improved with optimized document opening times: Windows Hello enhancements include: - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. -- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). - Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). - With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. -- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. +- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. - [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. - [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. @@ -151,7 +151,7 @@ Windows Hello enhancements include: #### Windows Defender Credential Guard -[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. +[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. ### Privacy controls @@ -173,7 +173,7 @@ Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows U A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). -Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). @@ -189,12 +189,11 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf #### Key-rolling and Key-rotation This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. - ## Deployment ### SetupDiag -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Reserved storage diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 8190b90e04..5078ed991a 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511). +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)? ms.reviewer: ms.prod: w10 author: aczechowski @@ -23,7 +23,7 @@ Below is a list of some of the new and updated features included in the initial ### Provisioning devices using Windows Imaging and Configuration Designer (ICD) -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. An IT administrator using Windows Provisioning can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. [Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) @@ -34,8 +34,8 @@ With Windows 10, you can create provisioning packages that let you quickly and e #### New AppLocker features in Windows 10, version 1507 -- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server. [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -43,7 +43,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e #### New BitLocker features in Windows 10, version 1511 -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. It provides the following benefits: - The algorithm is FIPS-compliant. - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. @@ -55,7 +55,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online. - **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. - **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." @@ -66,11 +66,11 @@ With Windows 10, you can create provisioning packages that let you quickly and e #### New Credential Guard features in Windows 10, version 1511 - **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: - - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. + - Credentials that are saved by the Remote Desktop Protocol can't be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. -- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. -- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. + - You can't restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this backup before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. +- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This setting allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can do this configuration by using Group Policy. +- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg can't delegate default credentials when Credential Guard is enabled. [Learn how to deploy and manage Credential Guard within your organization](/windows/access-protection/credential-guard/credential-guard). @@ -100,10 +100,10 @@ In Windows 10, security auditing has added some improvements: ##### New audit subcategories In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's sign-in token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event. - [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play. A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. ##### More info added to existing audit events @@ -111,7 +111,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Poli With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: - [Changed the kernel default audit policy](#bkmk-kdal) - [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the sign-in event](#bkmk-logon) - [Added new fields in the process creation event](#bkmk-logon) - [Added new Security Account Manager events](#bkmk-sam) - [Added new BCD events](#bkmk-bcd) @@ -119,20 +119,20 @@ With Windows 10, version 1507, we've added more info to existing audit events to ##### Changed the kernel default audit policy -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts. ##### Added a default process SACL to LSASS.exe -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This process can help identify attacks that steal credentials from the memory of a process. -##### New fields in the logon event +##### New fields in the sign-in event -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: 1. **MachineLogon** String: yes or no If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. 2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. + If an account signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown. 3. **TargetOutboundUserName** String **TargetOutboundUserDomain** String The username and domain of the identity that was created by the LogonUser method for outbound traffic. @@ -146,7 +146,7 @@ The logon event ID 4624 has been updated to include more verbose information to ##### New fields in the process creation event -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: 1. **TargetUserSid** String The SID of the target principal. 2. **TargetUserName** String @@ -154,7 +154,7 @@ The logon event ID 4688 has been updated to include more verbose information to 3. **TargetDomainName** String The domain of the target user.. 4. **TargetLogonId** String - The logon ID of the target user. + The sign-in ID of the target user. 5. **ParentProcessName** String The name of the creator process. 6. **ParentProcessId** String @@ -224,9 +224,9 @@ Some things that you can check on the device are: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. +You shouldn't turn off UAC because this setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10. -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). +For more information about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). In Windows 10, User Account Control has added some improvements. @@ -309,7 +309,7 @@ Administrators can also use mobile device management (MDM) or Group Policy to di ### Microsoft Store for Business **New in Windows 10, version 1511** -With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. +With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or reuse licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview). @@ -318,15 +318,15 @@ For more information, see [Microsoft Store for Business overview](/microsoft-sto Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: +By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient. - **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security). -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr). +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr). Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 48342fd24c..981388e744 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: What's new in Windows 10 for Windows 10 (version 1607). +description: What's new in Windows 10 for Windows 10 (version 1607)? ms.prod: w10 ms.localizationpriority: medium ms.reviewer: @@ -22,7 +22,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1 ### Windows Imaging and Configuration Designer (ICD) -In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) Windows ICD now includes simplified workflows for creating provisioning packages: @@ -34,9 +34,9 @@ Windows ICD now includes simplified workflows for creating provisioning packages ### Windows Upgrade Readiness -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. Use Upgrade Readiness to get: @@ -69,9 +69,9 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it ### Windows Hello for Business -When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. +When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. -Additional changes for Windows Hello in Windows 10, version 1607: +Other changes for Windows Hello in Windows 10, version 1607: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. @@ -82,7 +82,7 @@ Additional changes for Windows Hello in Windows 10, version 1607: ### VPN - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. -- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) - Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). @@ -102,7 +102,7 @@ Several new features and management options have been added to Windows Defender - [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media. - [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware. - [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. - [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. @@ -136,17 +136,17 @@ Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. -With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. +With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. [Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) ### User Experience Virtualization (UE-V) for Windows 10 -Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to. -With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. +With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. [Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 5a1f162a4f..c6f958b3fe 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -15,7 +15,7 @@ ROBOTS: NOINDEX Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). -For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). +For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). >[!NOTE] >Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](/windows/deployment/planning/windows-10-removed-features). @@ -59,18 +59,15 @@ Enterprises have been able to apply customized Start and taskbar layouts to devi Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: +[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) - Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). - - - +- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). ### Cortana at work -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, optimized for your business. When your employees sign in with an Azure Active Directory (Azure AD) account, they can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. @@ -83,9 +80,9 @@ For more info about Cortana at work, see [Cortana integration in your business o MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. +Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). @@ -106,7 +103,7 @@ New features in Microsoft Defender for Endpoint for Windows 10, version 1703 inc - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. -- **Response**: When detecting an attack, security response teams can now take immediate action to contain a breach: +- **Response**: When an attack is detected, security response teams can now take immediate action to contain a breach: - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. @@ -145,7 +142,7 @@ You can read more about ransomware mitigations and detection capability in Micro ### Device Guard and Credential Guard -Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. +More security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). ### Group Policy Security Options @@ -153,7 +150,7 @@ For more information, see [Device Guard Requirements](/windows/device-security/d The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign-in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. ### Windows Hello for Business @@ -172,7 +169,7 @@ You can also now collect your audit event logs by using the Reporting configurat ### Windows Update for Business -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy hasn't been configured. We've also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. @@ -184,12 +181,12 @@ We recently added the option to download Windows 10 Insider Preview builds using ### Optimize update delivery -With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. +Delivery Optimization policies now enable you to configure more restrictions to have more control in various scenarios. Added policies include: - [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) @@ -204,7 +201,7 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1 Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. -Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703. +Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This condition won't apply to the update from Windows 10, version 1607 (or earlier) to version 1703. ## Management @@ -214,7 +211,7 @@ Windows 10, version 1703 adds many new [configuration service providers (CSPs)]( Some of the other new CSPs are: -- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. +- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. @@ -237,7 +234,7 @@ For more info, see [Implement server-side support for mobile application managem ### MDM diagnostics -In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. +In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an extra tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. @@ -265,32 +262,31 @@ Learn about the new Group Policies that were added in Windows 10, version 1703. In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb). -Miracast over Infrastructure offers a number of benefits: +Miracast over Infrastructure offers many benefits: - Windows automatically detects when sending the video stream over this path is applicable. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. - No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. - +- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct. +- It uses an existing connection that reduces the time to connect and provides a stable stream. ### How it works -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, and via multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. ### Enabling Miracast over Infrastructure -If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: +If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following requirements are true within your deployment: - The device (PC or Surface Hub) needs to be running Windows 10, version 1703. - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (for example, using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this resolution by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. +It's important to note that Miracast over Infrastructure isn't a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. ## New features in related products The following new features aren't part of Windows 10, but help you make the most of it. diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 0585c1b9ab..4e26d46510 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -39,14 +39,14 @@ Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your ### Autopilot Reset -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset). +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom sign-in screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset). ## Update ### Windows Update for Business -Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). +Windows Update for Business now has more controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). ### Windows Insider Program for Business @@ -98,7 +98,7 @@ Window Defender Exploit Guard provides intrusion prevention capabilities to redu ### Windows Defender Device Guard -Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). +Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). ### Windows Information Protection @@ -106,7 +106,7 @@ Windows Information Protection is now designed to work with Microsoft Office and ### Windows Hello -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification). +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification). ### BitLocker diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index d8903b9bbb..159845ee44 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -30,7 +30,7 @@ The following 3-minute video summarizes some of the new features that are availa [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10. -Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. +With the help of Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information. @@ -45,13 +45,13 @@ Some additional information about Windows 10 in S mode: - Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps. - S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices. -If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition. Once you switch out of S mode, you cannot switch back. +If you want to switch out of S mode, you'll be able to do so at no charge, regardless of edition. Once you switch out of S mode, you can't switch back. For more information, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). ### Windows 10 kiosk and Kiosk Browser -With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below. +With this release, you can easily deploy and manage kiosk devices with Microsoft Intune in single- and multiple-app scenarios. These scenarios include the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below. - Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons. - Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies @@ -78,7 +78,7 @@ The following new DISM commands have been added to manage feature updates: | Command | Description | |---|---| -| `DISM /Online /Initiate-OSUninstall` | Initiates a OS uninstall to take the computer back to the previous installation of windows. | +| `DISM /Online /Initiate-OSUninstall` | Initiates an OS uninstall to take the computer back to the previous installation of windows. | | `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. | | `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. | | `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. | @@ -96,7 +96,7 @@ Prerequisites: For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option: +It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option: `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` @@ -107,8 +107,8 @@ New command-line switches are also available to control BitLocker: | Command | Description | |---|---| | `Setup.exe /BitLocker AlwaysSuspend` | Always suspend BitLocker during upgrade. | -| `Setup.exe /BitLocker TryKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. | -| `Setup.exe /BitLocker ForceKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. | +| `Setup.exe /BitLocker TryKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade. | +| `Setup.exe /BitLocker ForceKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade. | For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) @@ -116,15 +116,15 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware [SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Windows Update for Business -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure). +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure). ### Feature update improvements -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This migration has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). ## Configuration @@ -144,10 +144,10 @@ The OS uninstall period is a length of time that users are given when they can o - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. - You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). +- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) @@ -159,7 +159,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure ### Privacy -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. +In the Feedback and Settings page under Privacy Settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. ## Security @@ -169,7 +169,7 @@ The new [security baseline for Windows 10 version 1803](/windows/security/threat ### Microsoft Defender Antivirus -Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud-based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). ### Windows Defender Exploit Guard @@ -193,7 +193,7 @@ Windows Defender Application Guard has added support for Edge. For more informat ### Windows Defender Device Guard -Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). +Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). ### Windows Information Protection @@ -215,7 +215,7 @@ Update Compliance has added Delivery Optimization to assess the bandwidth consum ### Device Health -Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using). +Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords—for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using). ## Microsoft Edge diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index d587dd6af5..92e1871b97 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -15,7 +15,7 @@ ROBOTS: NOINDEX >Applies To: Windows 10, version 1809 -In this article we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. +In this article, we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. The following 3-minute video summarizes some of the new features that are available for IT Pros in this release. @@ -46,33 +46,33 @@ We’ve continued to work on the **Current threats** area in [Virus & threat pr > [!div class="mx-imgBorder"] > ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings") -With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. +With controlled folder access, you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. -We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. +We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time isn't properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). +This functionality also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). ### BitLocker #### Silent enforcement on fixed drives -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD)-joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD)-joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this effect of the encryption still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. -This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. +This new functionality is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and used by Intune and others. This feature will soon be enabled on Olympia Corp as an optional feature. #### Delivering BitLocker policy to AutoPilot devices during OOBE -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. +You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This option allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. -To achieve this: +To achieve this setting: 1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. @@ -94,7 +94,7 @@ Windows Defender Application Guard (WDAG) introduced a new user interface inside Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). -To try this: +To try this settings management, perform the following steps: 1. Go to **Windows Security** and select **App & browser control**. @@ -122,17 +122,17 @@ See the following example: Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways–ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that haven't yet implemented this execution won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**. ![alt text.](images/defender.png "Windows Security Center") ### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes -You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). +You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This support was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). ### Microsoft Edge Group Policies @@ -140,9 +140,9 @@ We introduced new group policies and Modern Device Management settings to manage ### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory-joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. +Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. ### Windows 10 Pro S Mode requires a network connection @@ -153,10 +153,10 @@ A network connection is now required to set up a new device. As a result, we rem [Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: - [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics)
                                -Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain, increase organizational resilience, and prevent specific threats. - [Custom detection](/microsoft-365/security/defender/custom-detections-overview)
                                - With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This query creation can be done by using the power of Advanced hunting through the creation of custom detection rules. - [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
                                Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. @@ -164,10 +164,10 @@ The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. - [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
                                -Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers. +Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers. - [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
                                -Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines. +Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines. - [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
                                Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. @@ -185,7 +185,7 @@ Cloud clipboard helps users copy content between devices. It also manages the cl 3. Turn on **Clipboard history**. -4. Turn on **Sync across devices**. Chose whether or not to automatically sync copied text across your devices. +4. Turn on **Sync across devices**. Choose whether or not to automatically sync copied text across your devices. ## Kiosk setup experience @@ -199,7 +199,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty 1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. -2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users can't minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. ![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") @@ -212,7 +212,7 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ ![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") -**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. +**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store isn't set up, users can't get books. ![normal mode.](images/Normal_inFrame.png "normal mode") @@ -245,12 +245,12 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables >[!IMPORTANT] >This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time. -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass. +Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows sign-in support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass. **To try out web sign-in:** 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. 3. On the lock screen, select web sign-in under sign-in options. @@ -264,12 +264,11 @@ Until now, Windows logon only supported the use of identities federated to ADFS ## Your Phone app -Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. +Android phone users, you can finally stop emailing yourself photos. With Your Phone, you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. -For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. +For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing-read, watch, or browse-with all the benefits of a bigger screen. -> [!div class="mx-imgBorder"] -> ![your phone.](images/your-phone.png "your phone") +:::image type="content" source="images/your-phone.png" alt-text="Your phone."::: The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. @@ -278,8 +277,8 @@ The desktop pin takes you directly to the **Your Phone** app for quicker access One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: * Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible -* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly -* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. +* Video mode increases the screen-to-screen latency to ensure the video on the large screen plays back smoothly +* Productivity modes strike a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. ![wireless projection banner.](images/beaming.png "wireless projection banner") diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index d29e02749d..4dbfe4141b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -26,15 +26,15 @@ This article lists new and updated features and content that are of interest to [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later: -- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. +- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users. - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. - [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. ### SetupDiag -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Reserved storage @@ -42,13 +42,13 @@ This article lists new and updated features and content that are of interest to ## Servicing -- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. -- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally. +- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again. - **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. -- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. +- **Intelligent active hours**: To further enhance active hours, users will now be able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. ## Security @@ -71,7 +71,7 @@ The draft release of the [security configuration baseline settings](/archive/blo ### Microsoft Defender for Endpoint -- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. +- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses. - [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. @@ -80,9 +80,9 @@ The draft release of the [security configuration baseline settings](/archive/blo ### Microsoft Defender for Endpoint next-gen protection technologies: - **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. -- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. +- **Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected. - **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. -- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. +- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies. ### Threat Protection @@ -91,26 +91,26 @@ The draft release of the [security configuration baseline settings](/archive/blo - [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. To try this extension: 1. Configure WDAG policies on your device. 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. - 3. Follow any additional configuration steps on the extension setup page. + 3. Follow any of the other configuration steps on the extension setup page. 4. Reboot the device. 5. Navigate to an untrusted site in Chrome and Firefox. - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. -- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has a number of new features that light up key scenarios and provide feature parity with AppLocker. +- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker. - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. - - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                                - This brings Windows Defender Application Control (WDAC) to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. - - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
                                + This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker. + - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. #### System Guard -[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months. +[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they'll be coming out in the next few months. This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: @@ -118,7 +118,7 @@ This new feature is displayed under the Device Security page with the string “ ### Identity Protection -- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. +- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. - [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. - Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! - [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. @@ -131,7 +131,7 @@ This new feature is displayed under the Device Security page with the string “ ## Microsoft Edge -Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information. +Several new features are coming in the next version of Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97). ## See Also diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 8f1b6a4c3c..4ca266485c 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -21,11 +21,11 @@ This article lists new and updated features and content that are of interest to Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements. -To deliver these updates in an optimal fashion, we are providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you are running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update. +To deliver these updates in an optimal fashion, we're providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you're running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update. -If you are updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97). +If you're updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97). -**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, please see the [Windows lifecycle fact sheet](/lifecycle/faq/windows). +**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, see the [Windows lifecycle fact sheet](/lifecycle/faq/windows). ### Windows Server Update Services (WSUS) @@ -35,13 +35,13 @@ The Windows 10, version 1909 enablement package will be available on WSUS as [KB ### Windows Update for Business -If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. +If you're using Windows Update for Business, you'll receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. ## Security ### Windows Defender Credential Guard -[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. +[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. ### Microsoft BitLocker @@ -53,7 +53,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a ### Transport Layer Security (TLS) -An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/) +An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/) ## Virtualization @@ -65,7 +65,7 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190 [Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally! -Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant. +Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant. ## Deployment @@ -81,7 +81,7 @@ Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Mana [SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available. -SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. . +SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Windows Assessment and Deployment Toolkit (ADK) @@ -115,7 +115,7 @@ With Intel Turbo Boost Max Technology 3.0, an operating system will use informat ### Debugging -Additional debugging capabilities for newer Intel processors have been added in this release. This is only relevant for hardware manufacturers. +More debugging capabilities for newer Intel processors have been added in this release. These newly added capabilities are only relevant for hardware manufacturers. ### Efficiency @@ -128,7 +128,7 @@ General battery life and power efficiency improvements for PCs with certain proc [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                                [What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
                                [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
                                -[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
                                +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
                                [How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
                                [How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
                                [What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
                                diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index a00b411668..e0d940dbf9 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -28,7 +28,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. -- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). @@ -36,7 +36,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings ### Windows Defender System Guard -In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO. +In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO. With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. @@ -66,15 +66,15 @@ For more information, see Windows Setup enhancements in the [Windows IT Pro Blog In Windows 10, version 2004, SetupDiag is now automatically installed. -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. -During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. ### Windows Autopilot With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. -If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles. ### Microsoft Endpoint Manager @@ -90,7 +90,7 @@ For information about what's new in the ADK, see [What's new in the Windows ADK ### Microsoft Deployment Toolkit (MDT) -MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. There is an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue. +MDT version 8456 supports Windows 10, version 2004, but there's currently an issue that causes MDT to incorrectly detect that UEFI is present. There's an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue. For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes). @@ -102,9 +102,9 @@ Windows PowerShell cmdlets have been improved: - **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). - **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. -- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. -Additional improvements: +Other improvements: - Enterprise network [throttling is enhanced](/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. @@ -123,9 +123,9 @@ The following [Delivery Optimization](/windows/deployment/update/waas-delivery-o - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. -- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215). +- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue using deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215). ## Networking @@ -146,7 +146,7 @@ In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added [Windows Sandbox configuration](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes: - MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop. - AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox. -- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste. +- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This setting is disabled by default due to issues with copy & paste. - PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox. - ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox. - MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox. @@ -161,7 +161,7 @@ Windows Sandbox also has improved accessibility in this release, including: ### Windows Subsystem for Linux (WSL) -With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. +With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but wouldn't shrink when no longer needed. [WSL2](/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization. @@ -169,7 +169,7 @@ For a full list of updates to WSL, see the [WSL release notes](/windows/wsl/rele ### Windows Virtual Desktop (WVD) -Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). +Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, and the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). ## Microsoft Edge @@ -205,7 +205,7 @@ Windows Search is improved in several ways. For more information, see [Superchar ### Virtual Desktops -There is a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely. +There's a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely. ### Bluetooth pairing @@ -262,4 +262,4 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha - [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses. - [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features. - [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features. -- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed. +- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed. diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index b3f400dbeb..14b2588859 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -57,7 +57,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep - Ensure that [users are ready](/windows/deployment/update/prepare-deploy-windows) for updates **Deploy** and manage Windows 10 strategically in your organization: -- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the set up, configuration, and delivery of new devices +- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the setup, configuration, and delivery of new devices - Use [Configuration Manager](/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices - Use [Windows Update for Business](/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](/windows/deployment/update/waas-wufb-group-policy) for your devices - [Deploy Windows updates](/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS) @@ -73,7 +73,7 @@ Enhancements to Windows Autopilot since the last release of Windows 10 include: ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There's no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -146,4 +146,4 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                                [Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
                                [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
                                -[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
                                +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
                                diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 7f67c4a774..6b9654ecf4 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -20,7 +20,7 @@ ms.collection: highpri This article provides guidance to help you plan for Windows 11 in your organization. -Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11. +Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—and the same basic deployment strategy that you use today for Windows 10. You'll need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) @@ -29,13 +29,13 @@ At a high level, this strategy should include the following steps: - [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) - [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) -If you are looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. +If you're looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system isn't a familiar process for you, some items to consider are provided below: ## Determine eligibility -As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. +As a first step, you'll need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it's compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they're eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. @@ -45,19 +45,19 @@ The availability of Windows 11 will vary according to a device's hardware and wh ##### Managed devices -Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. +Managed devices are devices that are under organization control. Managed devices include those devices managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: +If you manage devices on behalf of your organization, you'll be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: -- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows 11 upgrade. -- Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. +- Ensuring that devices that don't meet the minimum hardware requirements aren't automatically offered the Windows 11 upgrade. +- More insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. > [!NOTE] > Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. ##### Unmanaged devices -Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. +Unmanaged devices are devices that aren't managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices aren't subject to organizational policies that manage upgrades or updates. Windows 11 will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows 11 once available** on products that are available for purchase. @@ -69,10 +69,10 @@ Just like Windows 10, the machine learning based [intelligent rollout](https://t The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. -As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: +As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. - Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. -- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). @@ -92,7 +92,7 @@ Along with user experience and security improvements, Windows 11 introduces enha When Windows 11 reaches general availability, a consolidated Windows 11 update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows 11 servicing announcements, known issues, and safeguard holds. -It is important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 General Availability Channel and Long-term Servicing Channel (LTSC) releases. +It's important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, and incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 General Availability Channel and Long-term Servicing Channel (LTSC) releases. ## Application compatibility @@ -104,7 +104,7 @@ If you run into compatibility issues or want to ensure that your organization's **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 532493e1e3..bbf3ef592b 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -30,7 +30,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### On-premises solutions -- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new **Windows 11** product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. @@ -42,14 +42,14 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### Cloud-based solutions -- If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). - - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. +- If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). + - If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. -- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. +- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11, which is true regardless of which management tool you use to configure Windows Update for Business policies. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. > [!NOTE] > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. @@ -64,13 +64,13 @@ The following are some common use cases and the corresponding Microsoft Endpoint - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. - **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. -If you are exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. +If you're exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies -Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you are a fast adopter or will make the transition over the coming months or years. +Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you're a fast adopter or will make the transition over the coming months or years. -When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. +When you think of operating system updates as an ongoing process, you'll automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development @@ -81,7 +81,7 @@ For detailed information, see [Create a deployment plan](/windows/deployment/upd #### Review policies -Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. +Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly regarding the speed of the update process or security. #### Validate apps and infrastructure @@ -90,42 +90,44 @@ To validate that your apps, infrastructure, and deployment processes are ready f If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes: - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. -- Leverage Azure Virtual Desktop and Azure Marketplace images. +- Use Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program. #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. -[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) does not support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview). +[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) doesn't support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview). ## Prepare a pilot deployment -A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization. +A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization. -At a high level, the tasks involved are: +At a high level, the tasks involved are: -1. Assign a group of users or devices to receive the upgrade. -2. Implement baseline updates. -3. Implement operational updates. -4. Validate the deployment process. -5. Deploy the upgrade to devices. -6. Test and support the pilot devices. -7. Determine broad deployment readiness based on the results of the pilot. +1. Assign a group of users or devices to receive the upgrade. +2. Implement baseline updates. +3. Implement operational updates. +4. Validate the deployment process. +5. Deploy the upgrade to devices. +6. Test and support the pilot devices. +7. Determine broad deployment readiness based on the results of the pilot. ## User readiness -Do not overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: -- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. -- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. -- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. +Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: + +- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes. +- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. +- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. ## Learn more -See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. -- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path. + +- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. ## See also diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index b2aef79c6d..fe1621a610 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -26,7 +26,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). - RAM: 4 gigabytes (GB) or greater. - Storage: 64 GB\* or greater available storage is required to install Windows 11. - - Additional storage space might be required to download updates and enable specific features. + - Extra storage space might be required to download updates and enable specific features. - Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. - TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. @@ -34,7 +34,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). +\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). @@ -51,7 +51,7 @@ Eligible Windows 10 devices must be on version 2004 or later, and have installed ## Feature-specific requirements -Some features in Windows 11 have requirements beyond those listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements. - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. @@ -74,7 +74,7 @@ Some features in Windows 11 have requirements beyond those listed above. See the - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. +- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Virtual machine support @@ -84,11 +84,11 @@ The following configuration requirements apply to VMs running Windows 11. - Storage: 64 GB or greater - Security: Secure Boot capable, virtual TPM enabled - Memory: 4 GB or greater -- Processor: 2 or more virtual processors +- Processor: Two or more virtual processors The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). -\* In-place upgrade of existing generation 1 VMs to Windows 11 is not possible. +\* In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. > [!NOTE] > Procedures to configure required VM settings depend on the VM host type. For VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version.