Merge branch 'main' into pm-20230802-security-book-alignment

.openpublishing.redirection.windows-security.json

@@ -80,6 +80,11 @@
       "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md",
+      "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/apps.md",
       "redirect_url": "/windows/security/application-security",

windows/client-management/mdm/policy-csp-applicationdefaults.md

@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -36,20 +36,8 @@ ms.topic: reference
 <!-- DefaultAssociationsConfiguration-OmaUri-End -->
 
 <!-- DefaultAssociationsConfiguration-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
-
-For example:
-
-Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt.
-
-For more information, refer to the DISM documentation on TechNet.
-
-If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time.
-
-If the group policy isn't configured, disabled, or the client machine isn't domain-joined, no default associations will be applied at logon time.
-
-If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.
 <!-- DefaultAssociationsConfiguration-Description-End -->
 
 <!-- DefaultAssociationsConfiguration-Editable-Begin -->
@@ -84,36 +72,51 @@ If the policy is enabled, disabled, or not configured, users will still be able
 **Example**:
 
 To create the SyncML, follow these steps:
-<ol>
-<li>Install a few apps and change your defaults.</li>
-<li>From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"</li>
-<li>Take the XML output and put it through your favorite base64 encoder app.</li>
-<li>Paste the base64 encoded XML into the SyncML</li>
-</ol>
 
-Here's an example output from the dism default association export command:
+1. Install a few apps and change your defaults.
-```xml
+1. From an elevated prompt, run `dism /online /export-defaultappassociations:C:\appassoc.xml`. Here's an example output from the dism default association export command:
-<?xml version="1.0" encoding="UTF-8"?>
+
-<DefaultAssociations>
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <DefaultAssociations>
       <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
       <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
       <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
       <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
       <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
-</DefaultAssociations>
+    </DefaultAssociations>
-```
+    ```
 
-Here's the base64 encoded result:
+    Starting in Windows 11, version 22H2, two new attributes are available for further customization of the policy. These attributes can be used to change how often the policy associations are applied.
 
-``` syntax
+    - **Version** attribute for `DefaultAssociations`. This attribute is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time.
-PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+    - **Suggested** attribute for `Association`. The default value is false. If it's false, the **Association** is applied on every sign-in. If it's true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next sign-in.
-```
-Here's the SyncML example:
 
-```xml
+    In the following example, the **Association** for `.htm` is applied on first sign-in of the user, and all others are applied on every sign-in. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again:
-<?xml version="1.0" encoding="utf-8"?>
+
-<SyncML xmlns="SYNCML:SYNCML1.1">
+    ```xml
-<SyncBody>
+    <?xml version="1.0" encoding="UTF-8"?>
+    <DefaultAssociations Version="1" >
+      <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" Suggested="true" />
+      <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
+      <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
+      <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
+      <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
+    </DefaultAssociations>
+    ```
+
+1. Take the XML output and put it through your favorite base64 encoder app. Here's the base64 encoded result:
+
+    ```text
+    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+    ```
+
+1. Paste the base64 encoded XML into the SyncML. Here's the SyncML example:
+
+    ```xml
+    <?xml version="1.0" encoding="utf-8"?>
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
         <Replace>
           <CmdID>101</CmdID>
           <Item>
@@ -125,13 +128,13 @@ Here's the SyncML example:
               <LocURI>./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration</LocURI>
             </Target>
             <Data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-</Data>
+            </Data>
           </Item>
         </Replace>
       <Final/>
       </SyncBody>
-</SyncML>
+    </SyncML>
-```
+    ```
 <!-- DefaultAssociationsConfiguration-Examples-End -->
 
 <!-- DefaultAssociationsConfiguration-End -->

windows/security/application-security/application-control/windows-defender-application-control/TOC.yml

@@ -55,8 +55,8 @@
               href: design/create-wdac-policy-using-reference-computer.md
             - name: Create a WDAC deny list policy
               href: design/create-wdac-deny-policy.md
-            - name: Microsoft recommended block rules
+            - name: Applications that can bypass WDAC and how to block them
-              href: design/microsoft-recommended-block-rules.md
+              href: design/applications-that-can-bypass-wdac.md
             - name: Microsoft recommended driver block rules
               href: design/microsoft-recommended-driver-block-rules.md
         - name: Use the WDAC Wizard tool

windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md

@@ -1,15 +1,15 @@
 ---
-title: Microsoft recommended block rules
+title: Applications that can bypass WDAC and how to block them
 description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
 ms.localizationpriority: medium
 ms.date: 06/14/2023
 ms.topic: reference
 ---
 
-# Microsoft recommended block rules
+# Applications that can bypass WDAC and how to block them
 
->[!NOTE]
+> [!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
 
 Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
 

windows/security/application-security/application-control/windows-defender-application-control/index.yml

@@ -33,8 +33,8 @@ landingContent:
         links:
           - text: Using code signing to simplify application control
             url: deployment/use-code-signing-for-better-control-and-protection.md
-          - text: Microsoft's Recommended Blocklist
+          - text: Applications that can bypass WDAC and how to block them
-            url: design/microsoft-recommended-block-rules.md
+            url: design/applications-that-can-bypass-wdac.md
           - text: Microsoft's Recommended Driver Blocklist
             url: design/microsoft-recommended-driver-block-rules.md
           - text: Example WDAC policies

windows/security/application-security/application-control/windows-defender-application-control/wdac.md

@@ -47,7 +47,7 @@ Smart App Control is only available on clean installation of Windows 11 version
 
 ### Smart App Control Enforced Blocks
 
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
 
 - Infdefaultinstall.exe
 - Microsoft.Build.dll

windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md

@@ -1,19 +1,25 @@
 ---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+title: How to configure cryptographic settings for IKEv2 VPN connections
-description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
+description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 09/23/2021
+ms.date: 06/28/2023
 ms.topic: how-to
 ---
 
-# How to configure Diffie Hellman protocol over IKEv2 VPN connections
+# How to configure cryptographic settings for IKEv2 VPN connections
 
-In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
+In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
+
+- Encryption Algorithm           : DES3  
+- Integrity, Hash Algorithm      : SHA1  
+- Diffie Hellman Group (Key Size): DH2
+
+These settings aren't secure for IKE exchanges.  
 
 To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
 
 ## VPN server
 
-For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
+For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. These settings are effective for all IKEv2 VPN connections.
 
 ```powershell
 Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
@@ -30,7 +36,43 @@ Set-VpnServerIPsecConfiguration -CustomPolicy
 For VPN client, you need to configure each VPN connection. 
 For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:
 
-
 ```powershell
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
 ```
+
+## IKEv2 Crypto Settings Example
+
+The following commands configure the IKEv2 cryptographic settings to:  
+
+- Encryption Algorithm           : AES128  
+- Integrity, Hash Algorithm      : SHA256  
+- Diffie Hellman Group (Key Size): DH14  
+
+### IKEv2 VPN Server  
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000  
+restart-service RemoteAccess -PassThru
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault  
+restart-service RemoteAccess -PassThru
+```
+
+### IKEv2 VPN Client  
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -RevertToDefault -Force
+```
+
+> [!TIP]  
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.