From 3c4f95901ffa8af447ea05f12bf578d99959b33c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 14 Dec 2018 15:56:32 -0800 Subject: [PATCH 1/7] edits --- .../device-control/control-usb-devices-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index a2938cdf3c..ac02329cc5 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -175,7 +175,7 @@ For a SyncML example that prevents installation of specific device IDs, see [Dev ## Related topics - [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Defender/AllowFullScanRemovableDriveScanning CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) - [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) - [Perform a custom scan of a removable device](https://aka.ms/scanusb) - [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) From 38607c682f5da32e7f5c94a6ddbcbbe19b4fab85 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 19 Dec 2018 11:47:48 -0800 Subject: [PATCH 2/7] spelling --- .../device-control/control-usb-devices-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 03e3aaac6d..1f94b66e1c 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium ms.author: justinha author: justinha -ms.date: 12/18/2018 +ms.date: 12/20/2018 --- # How to control USB devices and other removable media using Windows Defender ATP @@ -36,7 +36,7 @@ For more information about controlling USB devices, see the [Microsoft Secure bl ## Prevent threats from removable storage -Windows Defender ATP can help identify and block malicious files on allowed removeable storage peripherals. +Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals. ### Enable Windows Defender Antivirus Scanning From 3eda816af590c06b57e101c2dd4afbddd8c6cbb2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 19 Dec 2018 12:06:45 -0800 Subject: [PATCH 3/7] added Administrator recommendation for SeDebugPrivilege --- windows/security/threat-protection/auditing/event-4672.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index e31ecb598c..baac7dff4d 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 12/20/2018 --- # 4672(S): Special privileges assigned to new logon. @@ -18,7 +18,7 @@ ms.date: 04/19/2017 Event 4672 illustration - +
***Subcategory:*** [Audit Special Logon](audit-special-logon.md) ***Event Description:*** @@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | | SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | | SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | | SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | | SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | | SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | From c40048856a6fe99232fba35a6f8b047218c0369b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 19 Dec 2018 12:32:43 -0800 Subject: [PATCH 4/7] clarified peripheral behavior --- .../kernel-dma-protection-for-thunderbolt.md | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 50c63fd31c..529d064913 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 12/08/2018 +ms.date: 12/20/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -38,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks -Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping). -Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). +Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. +By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged. -The devices will continue to function normally if the user locks the screen or logs out of the system. +A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. +Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -88,7 +88,7 @@ For systems that do not support Kernel DMA Protection, please refer to the [BitL ## Frequently asked questions ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. @@ -108,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. -### How can an enterprise enable the “External device enumeration” policy? -The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM): +### How can an enterprise enable the External device enumeration policy? +The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +The policy can be enabled by using: + - Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) +- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) ## Related topics From 774e9b599ba4d036a66f5f887355585f02d573b6 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 19 Dec 2018 23:17:25 +0000 Subject: [PATCH 5/7] Fixed table --- .../customize-attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 557b83c494..2b00cbb179 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/27/2018 +ms.date: 12/19/2018 --- # Customize attack surface reduction rules @@ -47,7 +47,7 @@ Rule description | GUID -|:-:|- Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D From 9e8ab5708586ac18e6088abaaa741715d4a54370 Mon Sep 17 00:00:00 2001 From: Christopher Yoo Date: Wed, 19 Dec 2018 23:28:20 +0000 Subject: [PATCH 6/7] Updated Microsoft-DiagnosticDataViewer.md with better language --- .../privacy/Microsoft-DiagnosticDataViewer.md | 35 +++++-------------- 1 file changed, 9 insertions(+), 26 deletions(-) diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index c7c10965fd..f50049e9bc 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -32,14 +32,18 @@ You must have administrative privilege on the device in order to use this PowerS You must install the module before you can use the Diagnostic Data Viewer for PowerShell. +### Opening an Elevated PowerShell session + +Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. +- Go to **Start** > **Windows PowerShell** > **Run as administrator** +- Go to **Start** > **Command prompt** > **Run as administrator**, and run the command `C:\> powershell.exe` + ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. -To install the newest version of the Diagnostic Data Viewer PowerShell module: -1. From an elevated Command Prompt, start a PowerShell session by running `C:\> powershell.exe`. -2. Install the module by name +To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer ``` @@ -60,10 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat **To turn on data viewing through PowerShell** -1. Install the Diagnostic Data Viewer for PowerShell module. -2. Run the Command prompt **as administrator**. -3. Start a PowerShell session by running `C:\> powershell.exe`. -4. Run the following commands in the PowerShell session: +Run the following command within an elevated PowerShell session: ```powershell PS C:\> Enable-DiagnosticDataViewing @@ -74,22 +75,6 @@ Once data viewing is enabled, your Windows machine will begin saving a history o >[!IMPORTANT] >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. -### Start the Diagnostic Data Viewer -You must start this app from the **Settings** panel. - -**To start the Diagnostic Data Viewer** -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - -2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - - ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

-OR-

- - Go to **Start** and search for _Diagnostic Data Viewer_. - -3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. - - >[!IMPORTANT] - >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. ### Getting Started with Diagnostic Data Viewer for PowerShell To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: @@ -149,9 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v **To turn off data viewing through PowerShell** -1. Run the Command prompt **as administrator**. -2. Start a PowerShell session by running `C:\> powershell.exe`. -3. Run the following commands in the PowerShell session: +Within an elevated PowerShell session, run the following command: ```powershell PS C:\> Disable-DiagnosticDataViewing From 48ac03a1798e5a439fdf14e172671f0fa8157077 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 20 Dec 2018 00:15:10 +0000 Subject: [PATCH 7/7] Merged PR 13476: new more news article new more news article --- windows/deployment/update/waas-morenews.md | 19 +++++++++++++++++++ .../deployment/update/windows-as-a-service.md | 6 ++---- 2 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 windows/deployment/update/waas-morenews.md diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md new file mode 100644 index 0000000000..a8a889c72c --- /dev/null +++ b/windows/deployment/update/waas-morenews.md @@ -0,0 +1,19 @@ +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/19/2018 +ms.localizationpriority: high +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + \ No newline at end of file diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 1667e19851..de4b23511b 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -45,11 +45,9 @@ The latest news:
  • Windows 10 quality updates explained and the end of delta updates - July 11, 2018
  • AI Powers Windows 10 April 2018 Update Rollout - June 14, 2018
  • Windows Server 2008 SP2 Servicing Changes - June 12, 2018 -
  • Windows Update for Business - Enhancements, diagnostics, configuration - June 7, 2018 -
  • Windows 10 and the disappearing SAC-T - May 31, 2018 -
  • Manage update download size using Windows as a service - March 30, 2018
    • +
  • Windows Update for Business - Enhancements, diagnostics, configuration - June 7, 2018 -[See more news](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog) +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). ## IT pro champs corner Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.