mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 09:07:22 +00:00

Latest updates for issues content (#379 )

* Updated deployment-vdi-windows-defender-antivirus.md

* Updated deployment-vdi-windows-defender-antivirus.md

* Updated deployment-vdi-windows-defender-antivirus.md

* updates for new vdi stuff

* Adding important note to solve #3493

* Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Typo "&lt;"→"<", "&gt;"→">"

https://docs.microsoft.com/en-us/windows/application-management/manage-windows-mixed-reality

* Issue #2297

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Clarification

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* update troubleshoot-np.md

* update configure-endpoints-gp.md

* Removing a part which is not supported

* Name change

* update troubleshoot-np.md

* removed on-premises added -hello

* Added link into Domain controller guide

* Line corections

* corrected formatting of xml code samples

When viewing the page in Win 10/Edge, the xml code samples stretched across the page, running into the side menu. The lack of line breaks also made it hard to read.

This update adds line breaks and syntax highlighting, replaces curly double quotes with standard double quotes, and adds a closing tag for <appv:appconnectiongroup>for each code sample

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-delivery-optimization-reference.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-delivery-optimization-reference.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* corrected formating of XML examples

The XML samples here present the same formatting problems as in about-the-connection-group-file51.md (see https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847/)

Perhaps we should open an issue to see if we have more versions of this code sample in the docs

* corrected formatting of XML example section

In the XML example on this page, the whitespace had been stripped out, so there were no spaces between adjacent attribute values or keys.

This made it hard to read, though the original formatting allowed for a scroll bar, so the text was not running into the side of the page (compare to https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847 and https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3850, where the uncorrected formatting forced the text to run into the side menu).

* update configure-endpoints-gp.md

* Fixed error in registry path and improved description

* Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Removing extra line in 25 

Suggested by

* update windows-analytics-azure-portal.md

* re: broken links, credential-guard-considerations

Context:
* #3513, MVA is being retired and producing broken links
* #3860 Microsoft Virtual Academy video links

This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists.

I removed the first link, as I could not find a similar video available describing which credentials are covered by credential guard.

I replaced the second link with a video containing similar material, though it is not a "deep dive".

Suggestions on handling this problem, as many pages contain similar links, would be appreciated,.

* removed link to retired video re: #3867

Context:
* #3513, MVA is being retired and producing broken links
* #3867, Microsoft Virtual Academy video links

This page contains a broken link to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course is already retired, and no replacement course exists.

I removed the whole _See Also_ section, as I could not find a video narrowly or deeply addressing how to protect privelaged users with Credential Guard. The most likely candidate is too short and general: https://www.linkedin.com/learning/cism-cert-prep-1-information-security-governance/privileged-account-management

* addressing broken mva links, #3817

Context:
* #3513, MVA is being retired and producing broken links
* #3817, Another broken link

This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists.

I removed the first link, as we no longer have a video with similar content for a similar audience. The most likely candidate is https://www.linkedin.com/learning/programming-foundations-web-security-2/types-of-credential-attacks, which is more general and for a less technical audience. 

I removed the second link and the _See Also_ section, as I could not find a similar video narrowly focused on which credentials are covered by Credential Guard. Most of the related material available now describes how to perform a task.

* Update deployment-vdi-windows-defender-antivirus.md

* typo fix re: #3876; DMSA -> DSMA

* Addressing dead MVA links, #3818

This page, like its fellows in the mva-links label, contains links to a retired video course on a website that is retiring soon.

The links listed by the user in issue #3818 were also on several other pages, related to Credentials Guard. 

These links were addressed in the pull requests #3875, #3872, and #3871

Credentials threat & lateral threat link: removed (see PR #3875 for reasoning) 
Virtualization link: replaced (see #3871 for reasoning)
Credentials protected link: removed (see #3872 for reasoning)

* Adding notes for known issue in script

Solves #3869

* Updated the download link admx files Windows 10

Added link for April 2018 and Oct 2018 ADMX files.

* added event logs path

Referenced : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Suggestions applied.

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update deployment-vdi-windows-defender-antivirus.md

* screenshot update

* Add files via upload

* update 4 scrrenshots

* Update deployment-vdi-windows-defender-antivirus.md

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Re: #3909

Top link is broken, #3909 

> The link here does not work:
> Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

The link to the pdf describing MDATP was broken.

Thankfully, PR #2897 updated the same link in another page some time ago, so I didn't have to go hunting for an equivalent

* CI Update

* Updated as per task 3405344

* Updated author

* Update windows-analytics-azure-portal.md

* added the example query

* Updated author fields

* Update office-csp.md

* update video for testing

* update video

* Update surface-hub-site-readiness-guide.md

line 134 Fixed  video link MD formatting

* fixing video url

* updates from Albert

* Bulk replaced author to manikadhiman

* Bulk replaced ms.author to v-madhi

* Latest content is published (#371)

* Added 1903 policy DDF link and fixed a typo

* Reverted the DDF version

* Latest update (#375)

* Update deployment-vdi-windows-defender-antivirus.md

* Update deployment-vdi-windows-defender-antivirus.md

2019-06-06 15:54:17 -07:00

14 KiB

Raw Blame History

title, description, author, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.mktglfcycl, ms.sitesec, ms.prod, ms.date

title	description	author	ms.assetid	ms.reviewer	manager	ms.author	ms.pagetype	ms.mktglfcycl	ms.sitesec	ms.prod	ms.date
Technical Overview of AGPM	Technical Overview of AGPM	mjcaparas	36bc0ab5-f752-474c-8559-721ea95169c2		dansimp	macapara	mdop	manage	library	w10	08/30/2016

Technical Overview of AGPM

Microsoft Advanced Group Policy Management (AGPM) is a client/server application. The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server's file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive. Understanding the parts of AGPM and related items, how they store GPOs in the file system, and how permissions control the actions available to each user role can improve Group Policy administrators' effectiveness with AGPM.

Terminology

The following explains the basic AGPM terms.

AGPM Client: A computer that runs the AGPM snap-in for the Group Policy Management Console (GPMC) and from which Group Policy administrators manage GPOs.
AGPM snap-in: The software component of AGPM installed on AGPM Clients so that they can manage GPOs.
AGPM Server: A server that runs the AGPM Service and manages an archive. Each AGPM Server can manage only one archive, but one AGPM Server can manage archive data for multiple domains in one archive. An archive can be hosted on a computer other than an AGPM Server.
AGPM Service: The software component of AGPM that runs on an AGPM Server as a service. The service manages GPOs in the archive and in the production environment in that forest.
Archive: In AGPM, a central store that contains the controlled GPOs that the associated AGPM Server manages, in addition to the history for each of those GPOs. This includes all previous controlled versions of each GPO. An archive consists of an archive index file and associated archive data that may include data for GPOs in multiple domains. An archive can be hosted on a computer other than an AGPM Server.
Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive.
Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.

What AGPM installs, creates, and affects

On an AGPM Server, the AGPM Setup program installs the AGPM Service. AGPM does not alter the Active Directory® directory service or the schema. By default, the AGPM Server program files are installed in %ProgramFiles%\Microsoft\AGPM\Server. You can install the AGPM Service on a domain controller if you have to; however, we recommend that you install the AGPM Service on a member server.

On an AGPM Client, the AGPM Setup program installs the AGPM snap-in, adding a Change Control folder to each domain that appears in the GPMC. By default, the AGPM Client program files are installed in %ProgramFiles%\Microsoft\AGPM\Client.

Table 1 describes both the items that AGPM installs or creates and the parts of the operating system that affect AGPM operation.

Table 1: Items installed, created, or affected by AGPM

Item	Description
AGPM Service	The AGPM Service runs on the AGPM Server. The service manages the archive, which contains offline GPOs, and controlled GPOs in the production environment. The default configuration of the AGPM Service is as follows: Service name: AGPM Service Display name: AGPM Service Path to executable: %ProgramFiles%\Microsoft\AGPM\Server\Agpm.exe Startup: Automatic Log on as: AGPM Service Account specified during installation of AGPM Server, which can be changed using Programs and Features in the Control Panel.
AGPM archive	By default, AGPM creates the archive in %ProgramData%\Microsoft\AGPM on the AGPM Server. The archive provides storage for offline GPOs, and it can store multiple versions of each GPO. Changes that AGPM makes to GPOs in the archive do not affect the production environment until an AGPM Administrator or Approver deploys the GPO to the production environment and links the GPO to an organizational unit (OU).
Windows Firewall	During installation, AGPM enables an inbound Windows Firewall rule that allows the AGPM Client to communicate with the AGPM Server. The default Windows Firewall rule is the following: Name: AGPM Service Action: Allow the connection Programs: All programs that meet the specified conditions Protocol type: TCP Local port: 4600 Remote port: All ports Local IP address: Any Remote IP address: Any
E-mail server	AGPM uses Simple Mail Transfer Protocol (SMTP) to send e-mail requests to the addresses configured on the Domain Delegation tab. For example, when an Editor requests that a new GPO be created, AGPM notifies each e-mail address specified on the Domain Delegation tab.
AGPM snap-in	The AGPM snap-in for the GPMC runs on AGPM Clients and is used by Group Policy administrators to manage GPOs. The snap-in appears in the GPMC as a Change Control folder in each domain.

Additional references

For more information about the files installed by AGPM, see the Planning Guide for AGPM.

Roles and permissions

Roles simplify delegation. Instead of assigning detailed permissions to Group Policy administrators, AGPM Administrators can assign one of four roles to Group Policy administrators to let them perform work related to that role:

AGPM Administrator: Group Policy administrators assigned the AGPM Administrator (Full Control) role can perform any task in AGPM. AGPM Administrators can configure domain-wide options and delegate permissions to other Group Policy administrators.
Approver: Group Policy administrators assigned the Approver role can deploy GPOs to the production environment for a domain. Approvers can also create and delete GPOs and approve or reject requests from Editors. Approvers can view the list of GPOs in a domain, view the policy settings in GPOs, and create and view reports of the policy settings in a GPO. They cannot edit the policy settings in GPOs unless they are also assigned the Editor role.
Editor: Group Policy administrators assigned the Editor role can view the list of GPOs in a domain, view the policy settings in GPOs, edit the policy settings in GPOs, and create and view reports of the policy settings in a GPO. Unless they are also assigned the Approver role, Editors cannot create, deploy, or delete GPOs. However, they can request that GPOs be created, deployed, or deleted.
Reviewer: Group Policy administrators assigned the Reviewer role can view the list of GPOs in a domain and create and view reports of the policy settings in a GPO. Unless they are also assigned the Editor role, they cannot edit policy settings in a GPO.

AGPM gives AGPM Administrators the flexibility to configure permissions at a more detailed level than roles by using the AGPM snap-in. Table 2 describes these permissions and indicates the permissions granted to each role by default.

Permission	Description	AGPM Administrator	Approver	Editor	Reviewer
Full Control	Have all permissions.	Yes
Create GPO	Create GPOs in a domain.	Yes	Yes
List Contents	List the GPOs in a domain.	Yes	Yes	Yes	Yes
Read Settings	Read the policy settings within a GPO.	Yes	Yes	Yes	Yes
Edit Settings	Change the policy settings in a GPO.	Yes		Yes
Delete GPO	Delete a GPO.	Yes	Yes
Modify Security	Delegate domain-level access, delegate access to a single GPO, and delegate access to the production environment.	Yes
Deploy GPO	Deploy a GPO from the archive to the production environment.	Yes	Yes
Create Template	Create a GPO template in AGPM.	Yes		Yes
Modify Options	Configure AGPM e-mail notification and limit the GPO versions stored in the archive.	Yes
Export GPO	Export a GPO to a file.	Yes		Yes
Import GPO	Import a GPO from a file.	Yes		Yes

Note Export GPO and Import GPO permissions are not available in AGPM 3.0 or 2.5.

The ability to delegate access to GPOs in the production environment for a domain and the ability to limit the number of GPO versions stored are not available in AGPM 2.5.

Additional references

For information about what tasks can be performed by Group Policy administrators assigned a particular role or about which permissions are required to perform a specific task, see the Operations Guide for AGPM.

14 KiB Raw Blame History

Technical Overview of AGPM

Terminology

What AGPM installs, creates, and affects

Additional references

Archive

Additional references

Roles and permissions

Additional references

14 KiB

Raw Blame History