Skip to content

Commit

Permalink
Merge branch 'main' into aditi-acrolinx-updates
Browse files Browse the repository at this point in the history
  • Loading branch information
aditisrivastava07 authored Sep 25, 2024
2 parents 6cd8b7f + 09c2caa commit 34f7f8b
Show file tree
Hide file tree
Showing 9 changed files with 78 additions and 32 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.service: windows-client
ms.subservice: autopatch
ms.topic: include
ms.date: 09/24/2024
ms.localizationpriority: medium
---
<!--This file is shared by windows-autopatch-driver-and-firmware-programmatic-controls.md, windows-autopatch-windows-quality-update-programmatic-controls.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->

You must have access to the following endpoints:

[Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update)

- *.prod.do.dsp.mp.microsoft.com
- *.windowsupdate.com
- *.dl.delivery.mp.microsoft.com
- *.update.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com

Graph API endpoints:

- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/16/2024
ms.date: 09/24/2024
---

# Programmatic controls for drivers and firmware updates
Expand Down Expand Up @@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-fix-is
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Autopath permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]

### Required endpoints

<!--Using include for required Graph API endpoints-->
[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]

## Open Graph Explorer

<!--Using include for Graph Explorer sign in-->
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/16/2024
ms.date: 09/24/2024
---

# Programmatic controls for Windows feature updates
Expand Down Expand Up @@ -48,6 +48,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]

### Required endpoints

<!--Using include for required Graph API endpoints-->
[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]

## Open Graph Explorer

<!--Using include for Graph Explorer sign in-->
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/16/2024
ms.date: 09/24/2024
---

# Programmatic controls for expedited Windows quality updates
Expand Down Expand Up @@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]

### Required endpoints

<!--Using include for required Graph API endpoints-->
[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]

## Open Graph Explorer

<!--Using include for Graph Explorer sign in-->
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/16/2024
ms.date: 09/24/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
Expand Down Expand Up @@ -33,7 +33,7 @@ There are URLs from several Microsoft products that must be in the allowed list
| Microsoft service | URLs required on Allowlist |
| ----- | ----- |
| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
| Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |

#### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints)
Expand Down Expand Up @@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha

| Microsoft service | URLs required on allowlist |
| ----- | ----- |
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li></ul>|
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>payloadprod*.blob.core.windows.net</li></ul>|

## Delivery Optimization

Expand Down
23 changes: 0 additions & 23 deletions windows/deployment/windows-enterprise-e3-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ Windows Enterprise edition has many features that are unavailable in Windows Pro
|Feature|Description|
|--- |--- |
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/microsoft-desktop-optimization-pack/app-v/appv-for-windows).|
|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).|
Expand Down Expand Up @@ -106,28 +105,6 @@ For more information about implementing Credential Guard, see the following reso
- [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)

### Device Guard

Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:

1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.

2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.

3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.

4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.

5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.

6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.

7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.

For more information about implementing Device Guard, see:

- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)

### AppLocker management

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: PDE settings and configuration
description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
ms.topic: how-to
ms.date: 05/06/2024
ms.date: 09/24/2024
---

# PDE settings and configuration
Expand Down Expand Up @@ -36,6 +36,21 @@ The following table lists the recommended settings to improve PDE's security.

## Configure PDE with Microsoft Intune

If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.

### Disk encryption policy

To configure devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:

- **Platform** > **Windows**
- **Profile** > **Personal Data Encryption**

Provide a name, and select **Next**. In the **Configuration settings** page, select **Enable Personal Data Encryption** and configure the settings as needed.

Assign the policy to a group that contains as members the devices or users that you want to configure.

### Settings catalog policy

[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]

| Category | Setting name | Value |
Expand Down Expand Up @@ -80,6 +95,17 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE

Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.

### Disable PDE with a disk encryption policy

To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:

- **Platform** > **Windows**
- **Profile** > **Personal Data Encryption**

Provide a name, and select **Next**. In the **Configuration settings** page, select **Disable Personal Data Encryption**.

Assign the policy to a group that contains as members the devices or users that you want to configure.

### Disable PDE with a settings catalog policy in Intune

[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
ms.date: 05/06/2024
ms.date: 09/24/2024

title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
ms.date: 05/06/2024
ms.date: 09/24/2024
---

# Personal Data Encryption (PDE)
Expand Down

0 comments on commit 34f7f8b

Please sign in to comment.