diff --git a/.gitignore b/.gitignore index 8a50b7c03e..714d719522 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,4 @@ Tools/NuGet/ .openpublishing.build.mdproj .openpublishing.buildcore.ps1 packages.config -windows/keep-secure/index.md \ No newline at end of file +windows/keep-secure/index.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index ca48c1e70e..5d3ccc874e 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -2,7 +2,7 @@ ## [Change history for Windows 10 for Education](change-history-edu.md) ## [Setup options for Windows 10](set-up-windows-10.md) ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) -### [Technical reference for the Set up School PCs app )](set-up-school-pcs-technical.md) +### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md) ## [Get Minecraft Education Edition](get-minecraft-for-education.md) @@ -11,6 +11,7 @@ ## [Take tests in Windows 10 ](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC ](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md) -### [Take a Test app technical reference ](take-a-test-app-technical.md) +### [Take a Test app technical reference ](take-a-test-app-technical.md) +## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) -## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file +## [Chromebook migration guide](chromebook-migration-guide.md) diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md new file mode 100644 index 0000000000..28792bb055 --- /dev/null +++ b/education/windows/edu-deployment-recommendations.md @@ -0,0 +1,127 @@ +--- +title: Deployment recommendations for school IT administrators +description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. +keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"] +ms.mktglfcycl: plan +ms.sitesec: library +author: CelesteDG +--- + +# Deployment recommendations for school IT administrators +**Applies to:** + +- Windows 10 + + +Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](http://go.microsoft.com/fwlink/?LinkId=809305). + +Here are some best practices and specific privacy settings we’d like you to be aware of. + +## Deployment best practices + +Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts: +* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account. + +* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school. +* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Windows Store. + +## Windows 10 Contacts privacy settings + +If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district: +* [Configure Windows telemetry in your organization](http://go.microsoft.com/fwlink/?LinkId=817241) - Describes the types of telemetry we gather and the ways you can manage this data. +* [Manage connections from Windows operating system components to Microsoft services](http://go.microsoft.com/fwlink/?LinkId=817240) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data. + +In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on. + +To change the setting, you can: +* [Turn off access to contacts for all apps](#turn-off-access-to-contacts-for-all-apps) +* [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts) + +### Turn off access to contacts for all apps +To turn off access to contacts for all apps on individual Windows devices: +1. On the computer, go to **Settings** and select **Privacy**. + + ![Privacy settings](images/settings-privacy-marked.png) + +2. Under the list of **Privacy** areas, select **Contacts**. + + ![Contacts privacy settings](images/privacy-contacts-marked.png) + +3. Turn off **Let apps access my contacts**. + +For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this: +1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**. +2. Set the **Select a setting** box to **Force Deny**. + +### Choose the apps that you want to allow access to contacts +If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off. + +![Choose apps with access to contacts](images/settings-contacts-app-marked.png) + +The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts. + +To allow only certain apps to have access to contacts, you can: +* Configure each app individually using the **Settings** > **Contacts** option in the Windows UI +* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce. + + ![App privacy Group Policy](images/app-privacy-group-policy.png) + +## Skype and Xbox settings + +Skype Preview (a Universal Windows Platform [UWP] preview app) and Xbox are preinstalled as part of Windows 10. + +The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](http://go.microsoft.com/fwlink/?LinkId=821441). + +With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account. + +Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories. + +If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by: +* [Managing the user profile](#managing-the-user-profile) +* [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying) + +### Managing the user profile +#### Skype +Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype. + +To manage and edit your profile in the Skype UWP app, follow these steps: +1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype-profile-icon.png) to go to the user’s profile page. +2. In the **Accounts** section, select **Manage** for the Skype account that you want to change. This will take you to the online Skype portal. +3. In the online Skype portal, scroll down to the Account details section. In Settings and preferences, select Edit profile. +The profile page includes these sections: + * Profile completeness + * Personal information + * Contact details +4. Review the information in each section and click **Edit** to change the information being shared. +5. If you do not wish your name to be included, replace the fields with **XXX**. +6. To change your profile picture, simply click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. + + ![Skype profile icon](images/skype-manage-profile-pic.png) + + * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**). + * You can also change the visibility of your profile picture between public (everyone) or your contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**. + +#### Xbox +A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive. + +To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](http://go.microsoft.com/fwlink/?LinkId=821445). + + +### Delete an account if username is identifying +If you want to delete either (or both) the Skype and the Xbox accounts, here’s how to do it. + +#### Skype +To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](http://go.microsoft.com/fwlink/?LinkId=816515) + +If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](http://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can: +1. Select a help topic (**Account and Password**) +2. Select a related problem (**Deleting an account**) +3. Click **Next**. +4. Select a contact method to get answers to your questions. + + +#### Xbox +To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](http://go.microsoft.com/fwlink/?LinkId=816521). + +## Related topics +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) diff --git a/education/windows/images/app-privacy-group-policy.png b/education/windows/images/app-privacy-group-policy.png new file mode 100644 index 0000000000..96a5f0380a Binary files /dev/null and b/education/windows/images/app-privacy-group-policy.png differ diff --git a/education/windows/images/privacy-contacts-marked.png b/education/windows/images/privacy-contacts-marked.png new file mode 100644 index 0000000000..54a3116408 Binary files /dev/null and b/education/windows/images/privacy-contacts-marked.png differ diff --git a/education/windows/images/settings-contacts-app-marked.png b/education/windows/images/settings-contacts-app-marked.png new file mode 100644 index 0000000000..94523f1b36 Binary files /dev/null and b/education/windows/images/settings-contacts-app-marked.png differ diff --git a/education/windows/images/settings-privacy-marked.png b/education/windows/images/settings-privacy-marked.png new file mode 100644 index 0000000000..513e9b1afc Binary files /dev/null and b/education/windows/images/settings-privacy-marked.png differ diff --git a/education/windows/images/skype-manage-profile-pic.png b/education/windows/images/skype-manage-profile-pic.png new file mode 100644 index 0000000000..4133ac9c60 Binary files /dev/null and b/education/windows/images/skype-manage-profile-pic.png differ diff --git a/education/windows/images/skype-profile-icon.png b/education/windows/images/skype-profile-icon.png new file mode 100644 index 0000000000..7ccaaea693 Binary files /dev/null and b/education/windows/images/skype-profile-icon.png differ diff --git a/education/windows/images/uwp-dependencies.PNG b/education/windows/images/uwp-dependencies.PNG new file mode 100644 index 0000000000..4e2563169f Binary files /dev/null and b/education/windows/images/uwp-dependencies.PNG differ diff --git a/education/windows/images/uwp-family.PNG b/education/windows/images/uwp-family.PNG new file mode 100644 index 0000000000..bec731eec4 Binary files /dev/null and b/education/windows/images/uwp-family.PNG differ diff --git a/education/windows/images/uwp-license.PNG b/education/windows/images/uwp-license.PNG new file mode 100644 index 0000000000..ccb5cf7cf4 Binary files /dev/null and b/education/windows/images/uwp-license.PNG differ diff --git a/education/windows/index.md b/education/windows/index.md index ad2cc941ff..99b3861a6b 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -21,6 +21,7 @@ author: jdeckerMS | [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC. | | [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. | | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | +| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index a122b0aa04..abf4fc1bd3 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -16,7 +16,7 @@ author: jdeckerMS -The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. +The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 86a2cf7148..10fd71790b 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -13,7 +13,7 @@ author: jdeckerMS - Windows 10 -If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) ## Create the provisioning package diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index da25088b6b..be00f841ac 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -37,7 +37,7 @@ If you want to [provision a school PC to join a domain](set-up-students-pcs-to-j ## Create a provisioning package to add apps after initial setup -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). @@ -73,15 +73,27 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi ## Add a universal app to your package +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/en-us/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + 1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. -2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name) +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + + ![details for offline app package](images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?) +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. -5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get) + ![required frameworks for offline app package](images/uwp-dependencies.png) + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page. + + ![generate license for offline app](images/uwp-license.png) + +[Learn more about distributing offline apps from the Windows Store for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/distribute-offline-apps) + +> **Note:** Removing a provisioning package will not remove any apps installed by device context in that provisioning package. **Next steps** - (optional) [Add a desktop app to your package](#add-a-desktop-app-to-your-package) diff --git a/windows/deploy/images/package.png b/windows/deploy/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/deploy/images/package.png differ diff --git a/windows/deploy/images/uwp-dependencies.PNG b/windows/deploy/images/uwp-dependencies.PNG new file mode 100644 index 0000000000..4e2563169f Binary files /dev/null and b/windows/deploy/images/uwp-dependencies.PNG differ diff --git a/windows/deploy/images/uwp-family.PNG b/windows/deploy/images/uwp-family.PNG new file mode 100644 index 0000000000..bec731eec4 Binary files /dev/null and b/windows/deploy/images/uwp-family.PNG differ diff --git a/windows/deploy/images/uwp-license.PNG b/windows/deploy/images/uwp-license.PNG new file mode 100644 index 0000000000..ccb5cf7cf4 Binary files /dev/null and b/windows/deploy/images/uwp-license.PNG differ diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md index 9183f2f9cd..31071beb75 100644 --- a/windows/deploy/provision-pcs-for-initial-deployment.md +++ b/windows/deploy/provision-pcs-for-initial-deployment.md @@ -49,7 +49,7 @@ Provisioning packages can include management instructions and policies, installa ## Create the provisioning package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md index 370a52069a..99714ca8e9 100644 --- a/windows/deploy/provision-pcs-with-apps-and-certificates.md +++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md @@ -33,7 +33,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur ## Create the provisioning package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). @@ -52,22 +52,35 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Add all the files required for the app install, including the data files and the installer. -3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option. +3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. > **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx). ### Add a universal app to your package +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + 1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. -2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name) +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + + ![details for offline app package](images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?) +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. + + ![required frameworks for offline app package](images/uwp-dependencies.png) + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page. + + ![generate license for offline app](images/uwp-license.png) + +[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) + +> **Note:** Removing a provisioning package will not remove any apps installed by device context in that provisioning package. -5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get) ### Add a certificate to your package @@ -147,6 +160,8 @@ If your build is successful, the name of the provisioning package, output direct ## Apply package +**During initial setup, from a USB drive** + 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. ![The first screen to set up a new PC](images/oobe.jpg) @@ -186,6 +201,13 @@ If your build is successful, the name of the provisioning package, output direct 10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. ![Sign in](images/sign-in-prov.png) + + +**After setup, from a USB drive, network folder, or SharePoint site** + +On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. + +![add a package option](images/package.png) ## Learn more - [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md index 8d5d6141d3..e95ace2aad 100644 --- a/windows/deploy/provisioning-packages.md +++ b/windows/deploy/provisioning-packages.md @@ -93,7 +93,7 @@ For details about the settings you can customize in provisioning packages, see [ ## Creating a provisioning package -With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740). +With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit). While running ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box: diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index a6783a029d..55e76873c4 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -15,6 +15,7 @@ ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) +## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) ## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) ### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md) #### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md index fc07133c99..69108c1fcc 100644 --- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md index f5f2edf9d6..11b782d3f8 100644 --- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index f72093bb1e..f567285c1b 100644 --- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md index f6dcdfddf4..d70e138887 100644 --- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md +++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md index 3863b0cf74..bbc34eda26 100644 --- a/windows/keep-secure/basic-firewall-policy-design.md +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index 66865b93a6..550aa7e934 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md index b44e15fdc1..da0878002d 100644 --- a/windows/keep-secure/boundary-zone.md +++ b/windows/keep-secure/boundary-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. @@ -60,4 +60,4 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -**Next: **[Encryption Zone](encryption-zone.md) +**Next:**[Encryption Zone](encryption-zone.md) diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md index 8b5e59db2e..0c3612bef6 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md index 8d0483f776..6a1a244f5c 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 43f2a07b2b..1b0dc4f144 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) -- Remote Credential Guard change to link when ready (remote-credential-guard.md) +- [Remote Credential Guard](remote-credential-guard.md) ## July 2016 @@ -48,7 +48,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | |[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New | ## April 2016 diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md index 156957d053..747345df41 100644 --- a/windows/keep-secure/change-rules-from-request-to-require-mode.md +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md index 979ef0e243..af8be53831 100644 --- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md index a3cd9303ca..5385c20f4d 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index f954a6f45e..996a84ad21 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index 898aff61c0..93506e5368 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index 8bf35ebe8e..aba8c91407 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index 41375ddbad..4533b51003 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md index b846638c4e..207e94a1a5 100644 --- a/windows/keep-secure/checklist-creating-group-policy-objects.md +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md index 16681cba2a..bf0e277be4 100644 --- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md index 22b8d892c8..9187d83a88 100644 --- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for creating outbound firewall rules in your GPOs. diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index bd5a21cdb8..febc811262 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md index f72a945895..0e170e2c53 100644 --- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -26,7 +26,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co | Task | Reference | | - | - | | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 1cab0a3744..6a65e70ac2 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index a57af52e9a..1c370cc0c7 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index e4ed2e3d00..533859a661 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md index c637681093..cee5bff4da 100644 --- a/windows/keep-secure/configure-authentication-methods.md +++ b/windows/keep-secure/configure-authentication-methods.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md index 1b0e5489ab..4c7f4c94ea 100644 --- a/windows/keep-secure/configure-data-protection-quick-mode-settings.md +++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md index a3687db1b5..0251ff4352 100644 --- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md index 097d29b877..dd11e2d12d 100644 --- a/windows/keep-secure/configure-key-exchange-main-mode-settings.md +++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md index 0784a64b85..086d294c27 100644 --- a/windows/keep-secure/configure-the-windows-firewall-log.md +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md index 89b5eb68e9..3b75bc141f 100644 --- a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md +++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index b4990058e6..057dd20255 100644 --- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md index 0423277e45..c64746932b 100644 --- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md index 694250fe3b..0b0fc49d34 100644 --- a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. @@ -47,4 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md index 6aeb64d983..6ada08d53f 100644 --- a/windows/keep-secure/create-a-group-account-in-active-directory.md +++ b/windows/keep-secure/create-a-group-account-in-active-directory.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md index 42a0e5ae62..bdd41a37ca 100644 --- a/windows/keep-secure/create-a-group-policy-object.md +++ b/windows/keep-secure/create-a-group-policy-object.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md index b0a4ec1118..e48455f5e9 100644 --- a/windows/keep-secure/create-an-authentication-exemption-list-rule.md +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md index 1c947f68f9..42617dc699 100644 --- a/windows/keep-secure/create-an-authentication-request-rule.md +++ b/windows/keep-secure/create-an-authentication-request-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md index f76bba3007..83983389da 100644 --- a/windows/keep-secure/create-an-inbound-icmp-rule.md +++ b/windows/keep-secure/create-an-inbound-icmp-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md index e2a911293f..212bf9a8fc 100644 --- a/windows/keep-secure/create-an-inbound-port-rule.md +++ b/windows/keep-secure/create-an-inbound-port-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md index 51524c047d..62c8e83e1b 100644 --- a/windows/keep-secure/create-an-inbound-program-or-service-rule.md +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md index 98c85d581c..9a06f49266 100644 --- a/windows/keep-secure/create-an-outbound-port-rule.md +++ b/windows/keep-secure/create-an-outbound-port-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md index 342e863ffd..2e7e5c2e1e 100644 --- a/windows/keep-secure/create-an-outbound-program-or-service-rule.md +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md index 0ba04d529e..a7cf60c649 100644 --- a/windows/keep-secure/create-inbound-rules-to-support-rpc.md +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md index f4b066d3e1..3cbb5be9a5 100644 --- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index fdf497e545..6d70cbad2b 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -1,5 +1,5 @@ --- title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 3974a748e2..94996dab65 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -90,7 +90,7 @@ The PC must meet the following hardware and software requirements to use Credent TPM 2.0 -Windows 10 version 1511 +Windows 10 version 1511 or later TPM 2.0 or TPM 1.2 @@ -109,7 +109,11 @@ The PC must meet the following hardware and software requirements to use Credent

Physical PC

-

For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.

+

For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.

+ + +

Virtual machine

+

For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.

@@ -144,9 +148,8 @@ First, you must add the virtualization-based security features. You can do this **Add the virtualization-based security features by using Programs and Features** 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. -3. Select the **Isolated User Mode** check box. -4. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -5. Click **OK**. +3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +4. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. @@ -154,12 +157,14 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` -3. Add Isolated User Mode by running the following command: - ``` syntax - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` > **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager. -  + + +In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: + +``` syntax +dism /image: /Enable-Feature /FeatureName:IsolatedUserMode +``` ### Turn on Credential Guard If you don't use Group Policy, you can enable Credential Guard by using the registry. @@ -203,7 +208,7 @@ If you have to remove Credential Guard on a PC, you need to do the following: 3. Accept the prompt to disable Credential Guard. 4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. -> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).   diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 9eda4d82c8..943481d23b 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -28,15 +28,21 @@ For information about enabling Credential Guard, see [Protect derived domain cre ## Windows feature requirements for virtualization-based security -In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1). +In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS: + +- With Windows 10, version 1607 or Windows Server 2016:
+Hyper-V Hypervisor (shown in Figure 1). + +- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+Hyper-V Hypervisor and Isolated User Mode (not shown). > **Note**  You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).   ![Turn Windows features on or off](images/dg-fig1-enableos.png) -Figure 1. Enable operating system features for VBS +Figure 1. Enable operating system feature for VBS -After you enable these features, you can configure any additional hardware-based security features you want. The following sections provide more information: +After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information: - [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot) - [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity) @@ -44,7 +50,7 @@ After you enable these features, you can configure any additional hardware-based Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10. -> **Note**  There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. +> **Note**  There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). 1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey. @@ -52,9 +58,9 @@ Before you begin this process, verify that the target device meets the hardware 3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate: - - Set this value to **1** to enable the **Secure Boot** option. - - - Set this value to **2** to enable the **Secure Boot with DMA Protection** option. + | **With Windows 10, version 1607,
or Windows Server 2016** | **With an earlier version of Windows 10,
or Windows Server 2016 Technical Preview 5 or earlier** | + | ---------------- | ---------------- | + | **1** enables the **Secure Boot** option
**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option
**2** enables the **Secure Boot and DMA protection** option | 4. Restart the client computer. @@ -80,11 +86,11 @@ Unfortunately, it would be time consuming to perform these steps manually on eve Figure 6. Enable VBS -5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list. +5. Select the **Enabled** button, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list. ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png) - Figure 7. Enable Secure Boot + Figure 7. Enable Secure Boot (in Windows 10, version 1607) > **Note**  Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection. @@ -102,7 +108,11 @@ Before you begin this process, verify that the desired computer meets the hardwa **To configure virtualization-based protection of KMCI manually:** -1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey. +1. Navigate to the appropriate registry subkey: + + - With Windows 10, version 1607, or Windows Server 2016:
**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios** + + - With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** 2. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**. @@ -130,11 +140,15 @@ It would be time consuming to perform these steps manually on every protected co Figure 3. Enable VBS -5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box. +5. Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option: + + - With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:
For an initial deployment or test deployment, we recommend **Enabled without UEFI lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. + + - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) - Figure 4. Enable VBS of KMCI + Figure 4. Enable VBS of KMCI (in Windows 10, version 1607) 6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart. @@ -176,7 +190,12 @@ Table 1. Win32\_DeviceGuard properties

  • 1. If present, hypervisor support is available.

  • 2. If present, Secure Boot is available.

  • 3. If present, DMA protection is available.

    • - +

  • 4. If present, Secure Memory Overwrite is available.

    • +

  • 5. If present, NX protections are available.

    • +

  • 6. If present, SMM mitigations are available.

    • + +

    Note: 4, 5, and 6 were added as of Windows 10, version 1607.

    + InstanceIdentifier @@ -188,10 +207,15 @@ Table 1. Win32\_DeviceGuard properties This field describes the required security properties to enable virtualization-based security.

    • 0. Nothing is required.

      • -

    • 1. If present, Secure Boot is needed.

      • -

    • 2. If present, DMA protection is needed.

      • -

    • 3. If present, both Secure Boot and DMA protection are needed.

      • -
    +

  • 1. If present, hypervisor support is needed.

    • +

  • 2. If present, Secure Boot is needed.

    • +

  • 3. If present, DMA protection is needed.

    • +

  • 4. If present, Secure Memory Overwrite is needed.

    • +

  • 5. If present, NX protections are needed.

    • +

  • 6. If present, SMM mitigations are needed.

    • + +

    Note: 4, 5, and 6 were added as of Windows 10, version 1607.

    + SecurityServicesConfigured diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md index 144252b206..df45d7bcb2 100644 --- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md index 8bbd75608d..01ed85051c 100644 --- a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md +++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 5e60c5e980..566a6df4da 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -1,4 +1,4 @@ --- title: Device Guard certification and compliance (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md index 88e67e80c4..9c120835e8 100644 --- a/windows/keep-secure/documenting-the-zones.md +++ b/windows/keep-secure/documenting-the-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md index 2bfcf9cbc8..f5cc8ea0f6 100644 --- a/windows/keep-secure/domain-isolation-policy-design-example.md +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md index da2564242b..6f15c8338f 100644 --- a/windows/keep-secure/domain-isolation-policy-design.md +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md index fe16701837..59e8325dac 100644 --- a/windows/keep-secure/enable-predefined-inbound-rules.md +++ b/windows/keep-secure/enable-predefined-inbound-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md index 1691399b8a..137de67aa2 100644 --- a/windows/keep-secure/enable-predefined-outbound-rules.md +++ b/windows/keep-secure/enable-predefined-outbound-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md index dcb49121a4..357f2eebfc 100644 --- a/windows/keep-secure/encryption-zone-gpos.md +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md index f6fd2aacd4..7e59ef31e3 100644 --- a/windows/keep-secure/encryption-zone.md +++ b/windows/keep-secure/encryption-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md index 35a8444e6e..c7fe4f7637 100644 --- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md index 3eb6bdda15..936468b4c3 100644 --- a/windows/keep-secure/event-4706.md +++ b/windows/keep-secure/event-4706.md @@ -127,13 +127,13 @@ This event is generated only on domain controllers. | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | | 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | | 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016 Technical Preview
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md index 8140c94b16..65ea86275d 100644 --- a/windows/keep-secure/event-4716.md +++ b/windows/keep-secure/event-4716.md @@ -127,13 +127,13 @@ This event is generated only on domain controllers. | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | | 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | | 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016 Technical Preview
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md index 8b692f1ea3..44897f5f13 100644 --- a/windows/keep-secure/event-4739.md +++ b/windows/keep-secure/event-4739.md @@ -165,14 +165,14 @@ This event generates when one of the following changes was made to local compute | Value | Identifier | Domain controller operating systems that are allowed in the domain | |-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
    Windows Server 2003 operating system
    Windows Server 2008 operating system
    Windows Server 2008 R2 operating system
    Windows Server 2012 operating system
    Windows Server 2012 R2 operating system
    Windows Server 2016 Technical Preview operating system | -| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | -| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | -| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | -| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | -| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | -| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
    Windows Server 2016 Technical Preview | -| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview | +| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
    Windows Server 2003 operating system
    Windows Server 2008 operating system
    Windows Server 2008 R2 operating system
    Windows Server 2012 operating system
    Windows Server 2012 R2 operating system
    Windows Server 2016 operating system | +| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | +| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | +| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | +| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | +| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | +| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
    Windows Server 2016 | +| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 | - **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document. diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md index a60e483753..21100a9674 100644 --- a/windows/keep-secure/exempt-icmp-from-authentication.md +++ b/windows/keep-secure/exempt-icmp-from-authentication.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md index 3ebf7a465b..fc0fd3b704 100644 --- a/windows/keep-secure/exemption-list.md +++ b/windows/keep-secure/exemption-list.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md index b264a38993..229cb2a3e0 100644 --- a/windows/keep-secure/firewall-gpos.md +++ b/windows/keep-secure/firewall-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md index 41310314aa..8dad2b48f7 100644 --- a/windows/keep-secure/firewall-policy-design-example.md +++ b/windows/keep-secure/firewall-policy-design-example.md @@ -13,13 +13,13 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In this example, the fictitious company Woodgrove Bank is a financial services institution. Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. -Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. +Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. @@ -60,7 +60,7 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t - Client devices that run Windows 10, Windows 8, or Windows 7 -- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) +- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) - WGBank partner servers that run Windows Server 2008 diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md index 33727fc9f4..0c507fdc73 100644 --- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md +++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md index 65555cc782..67dcea5661 100644 --- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md index 1f3b73fa21..7f4692a95a 100644 --- a/windows/keep-secure/gathering-information-about-your-devices.md +++ b/windows/keep-secure/gathering-information-about-your-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md index ca8d396fcb..83ee00960a 100644 --- a/windows/keep-secure/gathering-other-relevant-information.md +++ b/windows/keep-secure/gathering-other-relevant-information.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization. diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md index 3e8a62b0cc..a11fbf67c8 100644 --- a/windows/keep-secure/gathering-the-information-you-need.md +++ b/windows/keep-secure/gathering-the-information-you-need.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index 542e85c56f..88a3f076b6 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -1,4 +1,4 @@ --- title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md index 22db5273b8..00fb043b7a 100644 --- a/windows/keep-secure/gpo-domiso-boundary.md +++ b/windows/keep-secure/gpo-domiso-boundary.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md index 226c9deac1..d1349941e1 100644 --- a/windows/keep-secure/gpo-domiso-firewall.md +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md index 0f2faadb9e..a6ab80ad09 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md index fb984adf5f..91cd4e3890 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index b1adf33fd9..092982bd0a 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios. diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png index 0c2c1c9d4f..c6713c2bf3 100644 Binary files a/windows/keep-secure/images/device-guard-gp.png and b/windows/keep-secure/images/device-guard-gp.png differ diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png index cefb124344..a114c520de 100644 Binary files a/windows/keep-secure/images/dg-fig1-enableos.png and b/windows/keep-secure/images/dg-fig1-enableos.png differ diff --git a/windows/keep-secure/images/dg-fig11-dgproperties.png b/windows/keep-secure/images/dg-fig11-dgproperties.png index ce16705d0f..3c93b2b948 100644 Binary files a/windows/keep-secure/images/dg-fig11-dgproperties.png and b/windows/keep-secure/images/dg-fig11-dgproperties.png differ diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png index bf0d55dd7f..5672f1c1f0 100644 Binary files a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ diff --git a/windows/keep-secure/images/remote-credential-guard-gp.png b/windows/keep-secure/images/remote-credential-guard-gp.png new file mode 100644 index 0000000000..98c97825fa Binary files /dev/null and b/windows/keep-secure/images/remote-credential-guard-gp.png differ diff --git a/windows/keep-secure/images/remote-credential-guard.png b/windows/keep-secure/images/remote-credential-guard.png new file mode 100644 index 0000000000..d8e3598dc9 Binary files /dev/null and b/windows/keep-secure/images/remote-credential-guard.png differ diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 25f0fba560..6099d183c9 100644 --- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index aee77dd192..0fb93662f0 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -22,6 +22,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | +| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. | | [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md index b7f6c3b921..745da6642b 100644 --- a/windows/keep-secure/isolated-domain-gpos.md +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 3d23484bf9..43e1461c41 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md index 09367196c5..c8adf77620 100644 --- a/windows/keep-secure/isolating-apps-on-your-network.md +++ b/windows/keep-secure/isolating-apps-on-your-network.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md index ab224211e6..ba14d60b0e 100644 --- a/windows/keep-secure/link-the-gpo-to-the-domain.md +++ b/windows/keep-secure/link-the-gpo-to-the-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 3187e17371..49dc1620f6 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index b78b6f94f7..45548bb40f 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -101,7 +101,7 @@ Microsoft Passport offers four significant advantages over the current state of **It’s flexible** Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate. -Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). +Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). **It’s standardized** diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 95ab7cda01..d2ed73907e 100644 --- a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md index f29f5afbb7..420518e4ca 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index e179647bac..bbecb7b8ad 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md index 2d848ec539..9712af0076 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To open a GPO to Windows Firewall diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md index cda993d4ad..8f20a73c1c 100644 --- a/windows/keep-secure/open-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to open the Windows Firewall with Advanced Security console. diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md index 69e599b812..ab5b21c69b 100644 --- a/windows/keep-secure/planning-certificate-based-authentication.md +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md index 208265eefb..a18fb27051 100644 --- a/windows/keep-secure/planning-domain-isolation-zones.md +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md index 050a5550f7..abdff4b8ca 100644 --- a/windows/keep-secure/planning-gpo-deployment.md +++ b/windows/keep-secure/planning-gpo-deployment.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md index fff34a12c7..0718187682 100644 --- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md index b4f667a50b..0c4488940a 100644 --- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md index 4d9b002e7c..929c583624 100644 --- a/windows/keep-secure/planning-network-access-groups.md +++ b/windows/keep-secure/planning-network-access-groups.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md index 12688b93c9..9995c0e5fc 100644 --- a/windows/keep-secure/planning-server-isolation-zones.md +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md index 4fcbd977dc..fdcf972088 100644 --- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md index b22f0497cd..84b3750822 100644 --- a/windows/keep-secure/planning-the-gpos.md +++ b/windows/keep-secure/planning-the-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md index 1801d2a86a..8423e4b94f 100644 --- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md index c800eca94d..736612379f 100644 --- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 960ed386e5..85f3ea6a19 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -10,7 +10,7 @@ ms.pagetype: security author: jdeckerMS --- -# Prepare people to use Microsoft Passport +# Prepare people to use Windows Hello **Applies to** - Windows 10 diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md index d19699b94b..7374820ed8 100644 --- a/windows/keep-secure/procedures-used-in-this-guide.md +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md index a24379dacf..f4134b9ce9 100644 --- a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md +++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md new file mode 100644 index 0000000000..ce2fbc59b1 --- /dev/null +++ b/windows/keep-secure/remote-credential-guard.md @@ -0,0 +1,103 @@ +--- +title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10) +description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- +# Protect Remote Desktop credentials with Remote Credential Guard + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device. + +You can use Remote Credential Guard in the following ways: + +- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device. + +- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware. + +Use the following diagrams to help understand how Remote Credential Guard works and what it helps protect against. + +![Remote Credential Guard](images/remote-credential-guard.png) + +## Hardware and software requirements + +The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard: + +- They must be joined to an Active Directory domain + - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain. +- They must use Kerberos authentication. +- They must be running at least Windows 10, version 1607 or Windows Server 2016. +- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard. + + +## Enable Remote Credential Guard + +You must enable Remote Credential Guard on the target device by using the registry. + +1. Open Registry Editor. +2. Enable Remote Credential Guard: + - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. + - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard. +3. Close Registry Editor. + +You can add this by running the following from an elevated command prompt: + +``` +reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD +``` + +## Using Remote Credential Guard + +You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. + +### Turn on Remote Credential Guard by using Group Policy + +1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**. +2. Double-click **Restrict delegation of credentials to remote servers**. +3. In the **Use the following restricted mode** box: + - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used. + + > **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + + - If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**. +4. Click **OK**. + + ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) + +5. Close the Group Policy Management Console. + +6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied. + + +### Use Remote Credential Guard with a parameter to Remote Desktop Connection + +If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection. + +``` +mstsc.exe /remoteGuard +``` + + +## Considerations when using Remote Credential Guard + +- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied. + +- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory. + +- Remote Desktop Credential Guard only works with the RDP protocol. + +- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own. + +- Remote Desktop Gateway is not compatible with Remote Credential Guard. + +- You cannot used saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device. + +- Both the client and the server must be joined to the same domain or the domains must have a trust relationship. + +- The server and client must authenticate using Kerberos. \ No newline at end of file diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 890eaf1d99..42da77aa05 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9db41d44f1..d9f6804c8a 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -32,9 +32,7 @@ For example, hardware that includes CPU virtualization extensions and SLAT will You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. - - +The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > **Notes** > - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). @@ -51,20 +49,39 @@ The following tables provide more information about the hardware, firmware, and | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

    **Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

    **Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | - - -> **Important**  The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. +> **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. ## Device Guard requirements for improved security The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. -### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511) +### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +
    + +### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016) + +> **Important**  The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. + +| Protections for Improved Security - requirement | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | + +
    + +### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) + +| Protections for Improved Security - requirement | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **UEFI NX Protections** | **Requirements**:
    - All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.

    UEFI Runtime Services:
    - Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
    - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
    - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | + ## Device Guard deployment in different scenarios: types of devices Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization. diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md index 049625343b..fa2225b9c4 100644 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md index d2b47a2dbe..dc34b9ac84 100644 --- a/windows/keep-secure/restrict-access-to-only-trusted-devices.md +++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md index 85d7267abb..57d1bc1e9d 100644 --- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md index fa9c66bfb4..e3cd578183 100644 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 IKEv2 offers the following: diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index f7c0df0eab..c959f1bfd0 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -40,6 +40,8 @@ AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Window AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. + +You can block the Windows Subsystem for Linux by blocking LxssManager.dll.   ## Related topics diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md index 149730d1a5..e0075d930f 100644 --- a/windows/keep-secure/server-isolation-gpos.md +++ b/windows/keep-secure/server-isolation-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md index 4d38ed4c99..f6ddc73bf4 100644 --- a/windows/keep-secure/server-isolation-policy-design-example.md +++ b/windows/keep-secure/server-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md index a2397773da..de45c1b7c7 100644 --- a/windows/keep-secure/server-isolation-policy-design.md +++ b/windows/keep-secure/server-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md index 758bffcd66..618894db96 100644 --- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md index e2e57dd1bd..3aabc0a07e 100644 --- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index 32edfe0160..1e1801da84 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md index 44e4ba7803..03fcc34124 100644 --- a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md +++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index 425e451341..256a21b23f 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -60,8 +60,7 @@ A VPN profile configured with LockDown secures the device to only allow network ## Learn more -[VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588) +- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/vpn-connections-in-microsoft-intune) +- [VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588) +- [How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028) -[How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028) - -[Help users connect to their work using VPN profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=618029) diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 51608a0fb5..d254ddcb1a 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -62,10 +62,10 @@ You can provide additional protection for laptops that don't have TPM by enablng 2. Set the number of invalid logon attempts to allow, and then click OK. -## Why do you need a PIN to use Windows Hello? +## Why do you need a PIN to use biometrics? Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. -If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Hello. +If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello. ## Related topics diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 17ed75ffc7..e0fac10aa2 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -334,7 +334,7 @@ The sections that follow describe these improvements in more detail. **SMB hardening improvements for SYSVOL and NETLOGON connections** -In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). - **What value does this change add?** This change reduces the likelihood of man-in-the-middle attacks. - **What works differently?** diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 23f9e3d1c0..c70e57a4b1 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md index 5dabaedf02..9cfe29f6c0 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md index acc229bd6a..47830f44c9 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md index 51c6967315..4433aaf633 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index e2ae8bfc55..bef09aaf87 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -18,10 +18,9 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) -- [Diagnostics for devices managed by MDM](diagnostics-for-mdm-devices.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -- [Guidelines for choosing an app for assigned access (kisok mode)](guidelines-for-assigned-access-app.md) +- [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) ## July 2016 diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md index 54a9faaaf4..b66c71d091 100644 --- a/windows/manage/configure-devices-without-mdm.md +++ b/windows/manage/configure-devices-without-mdm.md @@ -74,7 +74,7 @@ For details about the settings you can customize in provisioning packages, see [ ## Create a provisioning package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) When you run Windows ICD, you have several options for creating your package. diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index db19b958a4..0ed8e5a3e5 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -124,7 +124,7 @@ The Upgrade Analytics workflow steps you through the discovery and rationalizati ### Data collection -Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. +Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. 1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. 2. Events are gathered using public operating system event logging and tracing APIs. diff --git a/windows/manage/connect-to-remote-aadj-pc.md b/windows/manage/connect-to-remote-aadj-pc.md index dd3b318800..8bd6f22eb0 100644 --- a/windows/manage/connect-to-remote-aadj-pc.md +++ b/windows/manage/connect-to-remote-aadj-pc.md @@ -24,7 +24,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. -- [Remote Credential Guard](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard?branch=bl-7475998), a new feature in Windows 10, version 1607, must be disabled on the remote PC. +- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 28609ad6b0..84d140abec 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -42,7 +42,7 @@ Three features enable Start and taskbar layout control: ## Create a provisioning package that contains a customized Start layout -Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 748d4c7b86..c08ee29373 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -26,6 +26,7 @@ In Windows 10, version 1607, the following Group Policies apply only to Windows | **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

    User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) | diff --git a/windows/manage/images/oma-uri-shared-pc.png b/windows/manage/images/oma-uri-shared-pc.png new file mode 100644 index 0000000000..68f9fa3b32 Binary files /dev/null and b/windows/manage/images/oma-uri-shared-pc.png differ diff --git a/windows/manage/index.md b/windows/manage/index.md index 28f9aa851f..4d01c0d616 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -37,6 +37,10 @@ Learn about managing and updating Windows 10.

    You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.

    +

    [Windows Spotlight on the lock screen](windows-spotlight.md)

    +

    Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

    + +

    [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)

    Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.

    diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md index b0d0851d25..0c82b6da7c 100644 --- a/windows/manage/lockdown-features-windows-10.md +++ b/windows/manage/lockdown-features-windows-10.md @@ -14,7 +14,7 @@ author: jdeckerMS **Applies to** - Windows 10 -- Windows 10 Mobile + Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index ff53ab6757..eb43c2c5ec 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -116,7 +116,7 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you ### Set up assigned access using Windows Imaging and Configuration Designer (ICD) -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md index 9c2d3b5a62..35975b7b93 100644 --- a/windows/manage/set-up-shared-or-guest-pc.md +++ b/windows/manage/set-up-shared-or-guest-pc.md @@ -1,6 +1,6 @@ --- title: Set up a shared or guest PC with Windows 10 (Windows 10) -description: tbd +description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios. keywords: ["shared pc mode"] ms.prod: W10 ms.mktglfcycl: manage @@ -15,20 +15,60 @@ author: jdeckerMS - Windows 10 -Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. +Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. -> **Note:** If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/en-us/edu/windows/use-set-up-school-pcs-app). +> **Note:** If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/en-us/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. -A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. After setup, the device is ready for multiple users. Users only have non-administrator rights, and they can’t block other users from accessing the device. With a standard Windows PC, accounts would have to be manually cleaned by an administrator (both signed out and deleted). In shared PC mode, accounts that sign in to the PC are either deleted when the user signs out or are deleted when available disk space reaches a set threshold, depending on how you configure the settings for shared PC mode. +##Shared PC mode concepts +A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users. -You can put a PC in shared PC mode by applying a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294.aspx). +###Account models +It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account. + +###Account management +When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. + +###Maintenance and sleep +Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. + +While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update: + +- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**. +- MDM: Set **Update/AllowAutoUpdate** to `4`. +- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`. + +[Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) + +###Customization +Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. + +| Setting | Value | +|:---|:---| +| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | +| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC.
    - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
    - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
    - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | +| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
    - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

    Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. | +| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | +| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | +| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. | +| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | +| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:
    - Local storage locations are restricted. Users can only save files to the cloud.
    - Custom Start and taskbar layouts are set.\*
    - A custom sign-in screen background image is set.\*
    - Additional educational policies are applied (see full list below).

    \*Only applies to Windows 10 Pro Education, Enterprise, and Education | +| Customization: SetPowerPolicies | When set as **True**:
    - Prevents users from changing power settings
    - Turns off hibernate
    - Overrides all power state transitions to sleep (e.g. lid close) | +| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | +| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | + + +##Configuring shared PC mode on Windows +You can configure Windows to be in shared PC mode in a couple different ways: +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) +![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) +- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC. ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) -## Create a provisioning package for shared use +### Create a provisioning package for shared use -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). @@ -40,24 +80,40 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( 5. Click **Finish**. Your project opens in Windows ICD. -6. Go to **Runtime settings** > **SharedPC**. The following table describes the settings you can configure for **SharedPC**. +6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) -Setting | Value | -:---|:---| -EnableSharedPCMode | Set as **True**. The remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.

    If you do not set **EnableSharedPCMode** as **True**, you can create a provisioning package using the remaining settings in **SharedPC** but none of the other settings will be applied. | -AccountManagement: AccountModel | For a shared or guest PC, choose between **Only guest** and **Domain-joined and guest**.
    - **Only guest** allows anyone to use the PC as a local standard (non-admin) account. When the account is signed out, it is deleted immediately.
    - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
    - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | -AccountManagement: DeletionPolicy | - **Delete immediately** will delete all accounts on sign-out.
    - **Delete at disk space threshold** will start deleting Active Directory and Azure AD accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. | -AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | -AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | -AccountManagement: EnableAccountManager | Set as **True** if you want to set any other account management policies. | -Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | -Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional policies are applied:
    - Local storage locations are restricted. Users can only save files to the cloud.
    - Custom Start and taskbar layouts are set.\*
    - A custom sign-in screen background image is set.\*

    \*Only applies to Windows 10 Pro for Education, Enterprise, and Education | -Customization: SetPowerPolicies | When set as **True**:
    - Prevents users from changing power settings
    - Turns off hibernate
    - Enables wake timers for Windows Update
    - Turns off all state transitions to sleep | -Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | -Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | -
    +7. On the **File** menu, select **Save.** +8. On the **Export** menu, select **Provisioning package**. +9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +10. Set a value for **Package Version**. + > **Tip**   + You can make changes to existing packages and change the version number to update previously applied packages. +   +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + > **Important**   + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. +   +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. + Optionally, you can click **Browse** to change the default output location. +13. Click **Next**. +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: -## Apply the provisioning package + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) (select this option to apply to a PC during initial setup) + + +### Apply the provisioning package You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up. @@ -66,7 +122,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t ![The first screen to set up a new PC](images/oobe.jpg) -2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. +2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**. ![Set up device?](images/setupmsg.jpg) @@ -118,14 +174,14 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. * If admin accounts are necessary on the PC * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out. + * Create exempt accounts before signing out when turning shared pc mode on. * The account management service supports accounts that are exempt from deletion. * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell: + * To add the account SID to the registry key using PowerShell:
    ``` $adminName = "LocalAdmin" $adminPass = 'Pa$$word123' @@ -136,142 +192,85 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force ``` + + + ## Policies set by shared PC mode +Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. > **Important**: It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. - - - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + +

    Policy path

    Policy name

    Value

    Policy name

    Value

    When set?

    Admin Templates > Control Panel > Personalization

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume=True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume=True

    Specify the system sleep timeout (plugged in)

    *SleepTimeout*

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    *SleepTimeout*

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    *SleepTimeout*

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    *SleepTimeout*

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates>System>Power Management>Video and Display Settings

    Turn off the display (plugged in)

    *SleepTimeout*

    SetPowerPolicies=True

    Turn off the display (on battery

    *SleepTimeout*

    SetPowerPolicies=True

    Admin Templates>System>Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume=True

    Prevent enabling lock screen slide show

    Enabled

    Prevent changing lock screen and logon image

    Enabled

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    Select the Power button action (on battery)

    Sleep

    Select the Sleep button action (plugged in)

    Sleep

    Select the lid switch action (plugged in)

    Sleep

    Select the lid switch action (on battery)

    Sleep

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    Require a password when a computer wakes (on battery)

    Enabled

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates>System>User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies=True

    Admin Templates>Windows Components

    Do not show Windows Tips

    *Only on Pro, Enterprise, and Education*

    Enabled

    SetEduPolicies=True

    Turn off Microsoft consumer experiences

    *Only on Pro, Enterprise, and Education*

    Enabled

    SetEduPolicies=True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates>Windows Components>Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates>Windows Components>Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates>Windows Components>File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates>Windows Components>Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    *MaintenanceStartTime*

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates>Windows Components>Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies=True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies=True

    Admin Templates>Windows Components>Search

    Allow Cortana

    Disabled

    SetEduPolicies=True

    Windows Settings>Security Settings>Local Policies>Security Options

    Specify the system sleep timeout (plugged in)

    1 hour

    Specify the system sleep timeout (on battery)

    1 hour

    Turn off hybrid sleep (plugged in)

    Enabled

    Turn off hybrid sleep (on battery)

    Enabled

    Specify the unattended sleep timeout (plugged in)

    1 hour

    Specify the unattended sleep timeout (on battery)

    1 hour

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    Admin Templates>System>Power Management>Video and Display Settings

    Turn off the display (plugged in)

    1 hour

    Turn off the display (on battery

    1 hour

    Admin Templates>System>Logon

    Show first sign-in animation

    Disabled

    Hide entry points for Fast User Switching

    Enabled

    Turn on convenience PIN sign-in

    Disabled

    Turn off picture password sign-in

    Enabled

    Turn off app notification on the lock screen

    Enabled

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    Block user from showing account details on sign-in

    Enabled

    Admin Templates>System>User Profiles

    Turn off the advertising ID

    Enabled

    Admin Templates>Windows Components

    Do not show Windows Tips

    Enabled

    Turn off Microsoft consumer experiences

    Enabled

    Microsoft Passport for Work

    Disabled

    Prevent the usage of OneDrive for file storage

    Enabled

    Admin Templates>Windows Components>Biometrics

    Allow the use of biometrics

    Disabled

    Allow users to log on using biometrics

    Disabled

    Allow domain users to log on using biometrics

    Disabled

    Admin Templates>Windows Components>Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Disable pre-release features or settings

    Disabled

    Do not show feedback notifications

    Enabled

    Admin Templates>Windows Components>File Explorer

    Show lock in the user tile menu

    Disabled

    Admin Templates>Windows Components>Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    12am

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Automatic Maintenance WakeUp Policy

    Enabled

    Admin Templates>Windows Components>Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    Configure corporate home pages

    Enabled, about:blank

    Admin Templates>Windows Components>Search

    Allow Cortana

    Disabled

    Windows Settings>Security Settings>Local Policies>Security Options

    Interactive logon: Do not display last user name

    Enabled

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Interactive logon: Do not display last user name

    Enabled, Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always


    diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md index 3b744fbf9e..f3cf017f47 100644 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -16,10 +16,12 @@ author: jdeckerMS - Windows 10 -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/en-us/windows-10/getstarted-see-whats-on-the-menu) and topic-to-be-added-for-taskbars +> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/en-us/windows-10/getstarted-see-whats-on-the-menu) Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. +> **Note:** Taskbar configuration is available starting in Windows 10, version 1607. + ## Start options ![start layout sections](images/startannotated.png) @@ -121,7 +123,7 @@ Starting in Windows 10, version 1607, you can pin additional apps to the taskbar There are three categories of apps that might be pinned to a taskbar: * Apps pinned by the user -* Default Windows apps, pinned during operating system installation (Edge, File Explorer, Store) +* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) * Apps pinned by the enterprise, such as in an unattended Windows setup **Note**   diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md index c7591ce190..803e29432b 100644 --- a/windows/plan/TOC.md +++ b/windows/plan/TOC.md @@ -108,4 +108,4 @@ ### [ACT Product and Documentation Resources](act-product-and-documentation-resources.md) ### [ACT Glossary](act-glossary.md) ### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) -## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) +## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) \ No newline at end of file diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md index 55051d9fd0..52e09d3d1a 100644 --- a/windows/whats-new/device-management.md +++ b/windows/whats-new/device-management.md @@ -7,118 +7,11 @@ ms.pagetype: devices, mobile ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS +redirect_url: /whats-new/whats-new-windows-10-version-1507-and-1511 --- # Enterprise management for Windows 10 devices - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. - -## MDM support - - -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. To learn more about the changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). - -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. - -Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. - -## Unenrollment - - -When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. - -When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. - -## Infrastructure - - -Enterprises have the following identity and management choices. - -| Area | Choices | -|---|---| -| Identity | Active Directory; Azure AD | -| Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - -  - -**Note**   -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512). - -  - -## Device lockdown - - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. - -- A portable device that drivers can use to check a route on a map. - -- A device that a temporary worker uses to enter data. - -You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/en-us/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. - -You can also [configure a lockdown state](https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. - -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies). - -## Updates - - -With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies. - -While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements. - -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md). - -## Easier certificate management - - -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile) - -## Learn more - - -[Windows 10: Manageability Choices](http://go.microsoft.com/fwlink/p/?LinkId=533886) - -[Windows 10: Management](http://go.microsoft.com/fwlink/p/?LinkId=533887) - -[Windows 10 Technical Preview Fundamentals for IT Pros: Windows 10 Management and Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533888) - -[Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172) - -Active Directory blog posts on Azure AD and Windows 10: - -- [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=619025) - -- [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791) - -- [Azure AD on Windows 10 Personal Devices]( http://go.microsoft.com/fwlink/p/?LinkId=619028) - -- [Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!](http://go.microsoft.com/fwlink/p/?LinkID=615765) - -## Related topics - - -[Manage corporate devices](../manage/manage-corporate-devices.md) - -[Windows Hello](microsoft-passport.md) - -[Enterprise Data Protection Overview](edp-whats-new-overview.md) - -  - -  - - - +This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**. diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md index 0acfd3723a..90a8a04ba6 100644 --- a/windows/whats-new/lockdown-features-windows-10.md +++ b/windows/whats-new/lockdown-features-windows-10.md @@ -8,108 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS +redirect_url: /manage/lockdown-features-windows-10 --- # Lockdown features from Windows Embedded 8.1 Industry -**Applies to** -- Windows 10 -- Windows 10 Mobile - -Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Windows Embedded 8.1 Industry lockdown featureWindows 10 featureChanges

    [Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

    		N/A

    HORM is supported in Windows 10, version 1607.

    [Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

    		[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)

    The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

    [Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

    		[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)

    Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

    [Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

    		[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)

    Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

    -

    Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

    [Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

    		[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

    The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.

    [Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run

    		[AppLocker](../keep-secure/applocker-overview.md)

    Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.

    -
      -

    • Control over which processes are able to run will now be provided by AppLocker.

      • -

    • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.

      • -

    [Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications

    		Mobile device management (MDM) and Group Policy

    Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.

    -

    Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications

    -

    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications.

    [Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features

    		[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)

    The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.

    [USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system

    		MDM and Group Policy

    The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

    -

    Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

    -

    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).

    [Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system

    		[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

    Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.

    -

    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

    -

    Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.

    [Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen

    		[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

    The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.

    [Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

    		[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)

    No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

    [Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements

    		[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)

    No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

    -  -  -  +This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md index a132b19ad6..57ac5201dc 100644 --- a/windows/whats-new/microsoft-passport.md +++ b/windows/whats-new/microsoft-passport.md @@ -8,35 +8,9 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: mobile, security author: jdeckerMS +redirect_url: /whats-new/whats-new-windows-10-version-1607 --- # Windows Hello overview -**Applies to** -- Windows 10 -- Windows 10 Mobile -> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -In Windows 10, Windows Hello replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Windows Hello lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Hello enrollment, Hello is set up on the user's device and the user sets a gesture, which can be biometric such as a fingerprint or a PIN. The user provides the gesture to verify identity; Windows then uses Hello to authenticate users and help them to access protected resources and services. -Hello also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions - -## Benefits of Windows Hello - -- **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Windows Hello. From that point on, the employee can access enterprise resources by providing a gesture. -- **Security**. Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft - -Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs). -[Learn how to implement and manage Windows Hello for Business in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md) - -## Learn more - -[Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md) -[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890) -[Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891) - -## Related topics -[Device management](device-management.md) -  -  +This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md index 62900c57c8..1b82f732b1 100644 --- a/windows/whats-new/new-provisioning-packages.md +++ b/windows/whats-new/new-provisioning-packages.md @@ -7,124 +7,10 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: mobile author: jdeckerMS +redirect_url: /deploy/provisioning-packages --- # Provisioning packages -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. - -Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. - -## New in Windows 10, Version 1607 - -The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. - -![Configuration Designer options](images/icd.png) - -Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators: - -* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - - > [Learn how to use simple provisioning to configure Windows 10 computers.](../deploy/provision-pcs-for-initial-deployment.md) - -* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - - > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](../deploy/provision-pcs-with-apps-and-certificates.md) - -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - - * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) - * AirWatch (password-string based enrollment) - * Mobile Iron (password-string based enrollment) - * Other MDMs (cert-based enrollment) - -> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). - -## Benefits of provisioning packages - - -Provisioning packages let you: - -- Quickly configure a new device without going through the process of installing a new image. - -- Save time by configuring multiple devices using one provisioning package. - -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. - -- Set up a device without the device having network connectivity. - -Provisioning packages can be: - -- Installed using removable media such as an SD card or USB flash drive. - -- Attached to an email. - -- Downloaded from a network share. - -## What you can configure - - -The following table provides some examples of what can be configured using provisioning packages. - -| Customization options | Examples | -|--------------------------|-----------------------------------------------------------------------------------------------| -| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | -| Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | -| Certificates | Root certification authority (CA), client certificates | -| Connectivity profiles | Wi-Fi, proxy settings, Email | -| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | -| Data assets | Documents, music, videos, pictures | -| Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. -  - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Creating a provisioning package - - -With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10 [from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700). - -While running ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box: - -- Windows Imaging and Configuration Designer (ICD) - -> **Note:** In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. - -After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651). - -## Applying a provisioning package to a device - - -Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651). - -## Learn more - - -[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708) - -## Related topics - - - - -[Configure devices without MDM](../manage/configure-devices-without-mdm.md) - -  - -  - - - - - +This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 89f3cab6d6..c304d8acb2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -83,13 +83,13 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir - The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. -## New features in Windows 10, version 1507 +#### New features in Windows 10, version 1507 In Windows 10, security auditing has added some improvements: - [New audit subcategories](#bkmk-auditsubcat) - [More info added to existing audit events](#bkmk-moreinfo) -### New audit subcategories +##### New audit subcategories In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: - [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. @@ -98,7 +98,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. -### More info added to existing audit events +##### More info added to existing audit events With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: - [Changed the kernel default audit policy](#bkmk-kdal) @@ -109,16 +109,16 @@ With Windows 10, version 1507, we've added more info to existing audit events t - [Added new BCD events](#bkmk-bcd) - [Added new PNP events](#bkmk-pnp) -### Changed the kernel default audit policy +##### Changed the kernel default audit policy In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. -### Added a default process SACL to LSASS.exe +##### Added a default process SACL to LSASS.exe In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. This can help identify attacks that steal credentials from the memory of a process. -### New fields in the logon event +##### New fields in the logon event The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: 1. **MachineLogon** String: yes or no @@ -136,7 +136,7 @@ The logon event ID 4624 has been updated to include more verbose information to If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). -### New fields in the process creation event +##### New fields in the process creation event The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: 1. **TargetUserSid** String @@ -152,7 +152,7 @@ The logon event ID 4688 has been updated to include more verbose information to 6. **ParentProcessId** String A pointer to the actual parent process if it's different from the creator process. -### New Security Account Manager events +##### New Security Account Manager events In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: - SamrEnumerateGroupsInDomain @@ -168,7 +168,7 @@ In Windows 10, new SAM events were added to cover SAM APIs that perform read/qu - SamrGetMembersInAlias - SamrGetUserDomainPasswordInformation -### New BCD events +##### New BCD events Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): - DEP/NEX settings @@ -179,7 +179,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur - Integrity Services - Disable Winload debugging menu -### New PNP events +##### New PNP events Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. @@ -199,7 +199,7 @@ The following sections describe the new and changed functionality in the TPM for - [Device Guard](device-guard-overview.md) support - [Credential Guard](../keep-secure/credential-guard.md) support -## Device health attestation +### Device health attestation Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. Some things that you can check on the device are: diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index a116933d05..e93467c542 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -19,7 +19,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1 ### Windows Imaging and Configuration Designer (ICD) -In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) Windows ICD now includes simplified workflows for creating provisioning packages: @@ -31,6 +31,10 @@ Windows ICD now includes simplified workflows for creating provisioning packages ## Security +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + ### Windows Hello for Business When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. @@ -43,10 +47,17 @@ Additional changes for Windows Hello in Windows 10, version 1607: [Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md) +### VPN + +- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](../keep-secure/protect-enterprise-data-using-edp.md), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. +   ## Management -## Use Remote Desktop Connection for PCs joined to Azure Active Directory +### Use Remote Desktop Connection for PCs joined to Azure Active Directory From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](../manage/connect-to-remote-aadj-pc.md) diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md index af6bd8ed19..61edb41016 100644 --- a/windows/whats-new/windows-spotlight.md +++ b/windows/whats-new/windows-spotlight.md @@ -7,71 +7,10 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS +redirect_url: /manage/windows-spotlight --- # Windows Spotlight on the lock screen -**Applies to** - -- Windows 10 - -Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. - -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. - -## What does Windows Spotlight include? - - -- **Background image** - - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. - - ![lock screen image](images/lockscreen.png) - -- **Feature suggestions, fun facts, tips** - - The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. - -## How do you turn off Windows spotlight locally? - - -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background - -![personalization background](images/spotlight.png) - -## How do you disable Windows Spotlight for managed devices? - - -Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers. - -**Windows 10 Pro, Enterprise, and Education** - -- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. - -**Windows 10 Enterprise and Education** - -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting. -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) - -Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - -![lockscreen policy details](images/lockscreenpolicy.png) - -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. - -![fun facts](images/funfacts.png) - -## Related topics - - -[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) - -  - -  - - - - - +This topic has been redirected. \ No newline at end of file