From 52a05f027d0741116c7275b3aebe94f4e5063c7c Mon Sep 17 00:00:00 2001 From: anaharris-ms <61602255+anaharris-ms@users.noreply.github.com> Date: Wed, 28 Jun 2023 11:08:25 -0400 Subject: [PATCH 1/9] edit --- ...man-protocol-over-ikev2-vpn-connections.md | 58 ++++++++++++++++--- 1 file changed, 50 insertions(+), 8 deletions(-) diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 834f56a321..809b88492a 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,19 +1,25 @@ --- -title: How to configure Diffie Hellman protocol over IKEv2 VPN connections -description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. -ms.date: 09/23/2021 +title: How to configure cryptographic settings for IKEv2 VPN connections +description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. +ms.date: 06/28/2023 ms.topic: how-to --- -# How to configure Diffie Hellman protocol over IKEv2 VPN connections +# How to configure cryptographic settings for IKEv2 VPN connections -In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. +In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are: + +- Encryption Algorithm : DES3 +- Integrity, Hash Algorithm : SHA1 +- Diffie Hellman Group (Key Size): DH2 + +These settings aren't secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. ## VPN server -For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. +For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. These settings are effective for all IKEv2 VPN connections. ```powershell Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy @@ -30,7 +36,43 @@ Set-VpnServerIPsecConfiguration -CustomPolicy For VPN client, you need to configure each VPN connection. For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection: - ```powershell Set-VpnConnectionIPsecConfiguration -ConnectionName -``` \ No newline at end of file +``` + +## IKEv2 Crypto Settings Example + +The following commands configure the IKEv2 cryptographic settings to: + +- Encryption Algorithm : AES128 +- Integrity, Hash Algorithm : SHA256 +- Diffie Hellman Group (Key Size): DH14 + +### IKEv2 VPN Server + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000 +restart-service RemoteAccess -PassThru +``` + +If you need to switch back to the default IKEv2 settings, use this command: + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault +restart-service RemoteAccess -PassThru +``` + +### IKEv2 VPN Client + +```powershell +Set-VpnConnectionIPsecConfiguration -ConnectionName -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force +``` + +If you need to switch back to the default IKEv2 settings, use this command: + +```powershell +Set-VpnConnectionIPsecConfiguration -ConnectionName -RevertToDefault -Force +``` + +> [!TIP] +> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command. \ No newline at end of file From 9f04afe6e310725baa8af6fbec86bfdc4b84e343 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:18:38 -0400 Subject: [PATCH 2/9] Changed Microsoft Recommended Block list article --- .openpublishing.redirection.windows-security.json | 5 +++++ .../windows-defender-application-control/TOC.yml | 2 +- ...lock-rules.md => applications-that-can-bypass-wdac.md} | 8 ++++---- 3 files changed, 10 insertions(+), 5 deletions(-) rename windows/security/application-security/application-control/windows-defender-application-control/design/{microsoft-recommended-block-rules.md => applications-that-can-bypass-wdac.md} (99%) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 998d8fad5e..b1fdc02d36 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -80,6 +80,11 @@ "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "redirect_document_id": false + }, { "source_path": "windows/security/apps.md", "redirect_url": "/windows/security/application-security", diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 70c937a286..4db0c9a48f 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -55,7 +55,7 @@ href: design/create-wdac-policy-using-reference-computer.md - name: Create a WDAC deny list policy href: design/create-wdac-deny-policy.md - - name: Microsoft recommended block rules + - name: Applications that can bypass WDAC and how to block them href: design/microsoft-recommended-block-rules.md - name: Microsoft recommended driver block rules href: design/microsoft-recommended-driver-block-rules.md diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md similarity index 99% rename from windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md rename to windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md index ebc63fd06e..bcce7c5578 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md @@ -1,15 +1,15 @@ --- -title: Microsoft recommended block rules +title: Applications that can bypass WDAC and how to block them description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. ms.localizationpriority: medium ms.date: 06/14/2023 ms.topic: reference --- -# Microsoft recommended block rules +# Applications that can bypass WDAC and how to block them ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md). +> [!NOTE] +> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md). Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC. From f21715f6176866edcccc2590e775f7e2b0f7dbf8 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:21:51 -0400 Subject: [PATCH 3/9] Update TOC --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 4db0c9a48f..3815f2af27 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -56,7 +56,7 @@ - name: Create a WDAC deny list policy href: design/create-wdac-deny-policy.md - name: Applications that can bypass WDAC and how to block them - href: design/microsoft-recommended-block-rules.md + href: design/applications-that-can-bypass-wdac.md - name: Microsoft recommended driver block rules href: design/microsoft-recommended-driver-block-rules.md - name: Use the WDAC Wizard tool From 5af2f032a7d5e8c84d24ccf5dd58e64d319330fe Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:25:34 -0400 Subject: [PATCH 4/9] Fix redirect --- .openpublishing.redirection.windows-security.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index b1fdc02d36..7347d35cb3 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -81,7 +81,7 @@ "redirect_document_id": false }, { - "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md", + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md", "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "redirect_document_id": false }, From 874ec6b210c75d39136bb382034ec26e73f3f63f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:27:33 -0400 Subject: [PATCH 5/9] Fix links --- .../windows-defender-application-control/index.yml | 4 ++-- .../windows-defender-application-control/wdac.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/index.yml b/windows/security/application-security/application-control/windows-defender-application-control/index.yml index 116b217e84..1b1d46e536 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/index.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/index.yml @@ -33,8 +33,8 @@ landingContent: links: - text: Using code signing to simplify application control url: deployment/use-code-signing-for-better-control-and-protection.md - - text: Microsoft's Recommended Blocklist - url: design/microsoft-recommended-block-rules.md + - text: Applications that can bypass WDAC and how to block them + url: design/applications-that-can-bypass-wdac.md - text: Microsoft's Recommended Driver Blocklist url: design/microsoft-recommended-driver-block-rules.md - text: Example WDAC policies diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index dee33405bb..7ee7a13013 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -47,7 +47,7 @@ Smart App Control is only available on clean installation of Windows 11 version ### Smart App Control Enforced Blocks -Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: +Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: - Infdefaultinstall.exe - Microsoft.Build.dll From 566ab39741005320d13ce90db371a8b21dcb4010 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:55:36 -0400 Subject: [PATCH 6/9] Update AppDefaults CSP --- .../mdm/policy-csp-applicationdefaults.md | 121 +++++++++--------- 1 file changed, 62 insertions(+), 59 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 3b93d81859..7ce0365c67 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 08/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,20 +36,8 @@ ms.topic: reference - -This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool. - -For example: - -Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt. - -For more information, refer to the DISM documentation on TechNet. - -If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time. - -If the group policy isn't configured, disabled, or the client machine isn't domain-joined, no default associations will be applied at logon time. - -If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations. + +This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. @@ -84,54 +72,69 @@ If the policy is enabled, disabled, or not configured, users will still be able **Example**: To create the SyncML, follow these steps: -
    -
  1. Install a few apps and change your defaults.
    2. -
  2. From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
    3. -
  3. Take the XML output and put it through your favorite base64 encoder app.
    4. -
  4. Paste the base64 encoded XML into the SyncML
    5. -
-Here's an example output from the dism default association export command: -```xml - - - - - - - - -``` +1. Install a few apps and change your defaults. +1. From an elevated prompt, run `dism /online /export-defaultappassociations:C:\appassoc.xml`. Here's an example output from the dism default association export command: -Here's the base64 encoded result: + ```xml + + + + + + + + + ``` -``` syntax -PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= -``` -Here's the SyncML example: + Starting in Windows 11, version 22H2, two new attributes are available for further customization of the policy. These attributes can be used to change how often the policy associations are applied. -```xml - - - - - 101 - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration - - PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= - - - - - - -``` + - **Version** attribute for `DefaultAssociations`. This is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time. + - **Suggested** attribute for `Association`. The default value is false. If it is false, the **Association** is applied on every logon. If it is true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next logon. + + In the following example, the **Association** for `.htm` is applied on first logon of the user, and all others are applied on every logon. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again: + + ```xml + + +    +    +    +    +    + + ``` + +1. Take the XML output and put it through your favorite base64 encoder app. Here's the base64 encoded result: + + ```text + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= + ``` + +1. Paste the base64 encoded XML into the SyncML. Here's the SyncML example: + + ```xml + + + + + 101 + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= + + + + + + + ``` From 9480b6e0222dccc9012194f422720fc058a99741 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:07:40 -0400 Subject: [PATCH 7/9] Update description --- windows/client-management/mdm/policy-csp-applicationdefaults.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 7ce0365c67..eaeab33b79 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -37,7 +37,7 @@ ms.topic: reference -This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. +This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. From cbc853fc1ab112eca183431580b37a58c2853c44 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:14:33 -0400 Subject: [PATCH 8/9] Acro-updates --- .../client-management/mdm/policy-csp-applicationdefaults.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index eaeab33b79..7f105c6341 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -89,10 +89,10 @@ To create the SyncML, follow these steps: Starting in Windows 11, version 22H2, two new attributes are available for further customization of the policy. These attributes can be used to change how often the policy associations are applied. - - **Version** attribute for `DefaultAssociations`. This is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time. - - **Suggested** attribute for `Association`. The default value is false. If it is false, the **Association** is applied on every logon. If it is true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next logon. + - **Version** attribute for `DefaultAssociations`. This attribute is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time. + - **Suggested** attribute for `Association`. The default value is false. If it's false, the **Association** is applied on every sign-in. If it's' true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next sign-in. - In the following example, the **Association** for `.htm` is applied on first logon of the user, and all others are applied on every logon. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again: + In the following example, the **Association** for `.htm` is applied on first sign-in of the user, and all others are applied on every sign-in. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again: ```xml From 306618c45efad6a6c0de86235f4eab5f4a8e1023 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 13:57:33 -0400 Subject: [PATCH 9/9] Fix typo --- windows/client-management/mdm/policy-csp-applicationdefaults.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 7f105c6341..b2500d8e36 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -90,7 +90,7 @@ To create the SyncML, follow these steps: Starting in Windows 11, version 22H2, two new attributes are available for further customization of the policy. These attributes can be used to change how often the policy associations are applied. - **Version** attribute for `DefaultAssociations`. This attribute is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time. - - **Suggested** attribute for `Association`. The default value is false. If it's false, the **Association** is applied on every sign-in. If it's' true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next sign-in. + - **Suggested** attribute for `Association`. The default value is false. If it's false, the **Association** is applied on every sign-in. If it's true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next sign-in. In the following example, the **Association** for `.htm` is applied on first sign-in of the user, and all others are applied on every sign-in. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again: