deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into secaudit

Browse Source
This commit is contained in:
Brian Lich
2016-06-17 09:52:01 -07:00
parent b4f97bc60b 17df36b3dd
commit 0e3b5398b2
1736 changed files with 9980 additions and 2102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
View File

@ -21,7 +21,7 @@ This walkthrough describes how to configure a PXE server to load Windows PE by
## Prerequisites
- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526740) (Windows ADK) installed.
- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) installed.
- A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required.
- A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download.
- A file server: A server hosting a network file share.

1
windows/deploy/sideload-apps-in-windows-10.md
View File

@ -5,6 +5,7 @@ ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
---

1
windows/deploy/update-windows-10-images-with-provisioning-packages.md
View File

@ -6,6 +6,7 @@ keywords: provisioning, bulk deployment, image
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
---

1
windows/deploy/windows-10-edition-upgrades.md
View File

@ -5,6 +5,7 @@ ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
---

2
windows/deploy/windows-adk-scenarios-for-it-pros.md
View File

@ -11,7 +11,7 @@ author: greg-lindsay
# Windows ADK for Windows 10 scenarios for IT Pros
The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](http://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
The [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](http://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](http://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).

2
windows/keep-secure/bitlocker-overview.md
View File

@ -77,3 +77,5 @@ When installing the BitLocker optional component on a server you will also need
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a devices configuration. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm).

3
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -29,6 +29,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.|
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
## April 2016
@ -88,4 +89,4 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)

8
windows/keep-secure/credential-guard.md
View File

@ -233,10 +233,10 @@ You can use System Information to ensure that Credential Guard is running on a P
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, Microsoft Passport, or Microsoft Passport for Work.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
- If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections.
- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password.
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
@ -254,6 +254,10 @@ Some ways to store credentials are not protected by Credential Guard, including:
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
## Additional mitigations

2
windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
View File

@ -6,7 +6,7 @@ keywords: identity, PIN, biometric, Hello
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.pagetype: security, mobile
author: jdeckerMS
---
# Manage identity verification using Microsoft Passport

6
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -12,6 +12,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## June 2016
| New or changed topic | Description |
| ---|---|
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the sample script for Shell Launcher. |
## May 2016
| New or changed topic | Description |

3
windows/manage/configure-devices-without-mdm.md
View File

@ -2,10 +2,11 @@
title: Configure devices without MDM (Windows 10)
description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
keywords: runtime provisioning, provisioning package
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices
author: jdeckerMS
---

6
windows/manage/device-guard-signing-portal.md
View File

@ -54,9 +54,8 @@ Device Guard is a feature set that consists of both hardware and software system
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
| | |
|-------------------------------------------------------|----------|
| Description | Limit |
|-------------------------------------------------------|----------|
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
@ -68,9 +67,8 @@ When you're uploading files for Device Guard signing, there are a few limits for
Catalog and policy files have required files types.
| | |
|---------------|--------------------|
| File | Required file type |
|---------------|--------------------|
| catalog files | .cat |
| policy files | .bin |

4
windows/manage/distribute-apps-with-management-tool.md
View File

@ -21,7 +21,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Stor
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
Store for Business services provide:
@ -62,7 +62,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
[Manage apps you purchased from the Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
 

1
windows/manage/manage-wifi-sense-in-enterprise.md
View File

@ -6,6 +6,7 @@ keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connec
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: eross-msft
---

84
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -289,76 +289,84 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
$COMPUTER = localhost
$NAMESPACE = root\standardcimv2\embedded
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]\\$COMPUTER\${NAMESPACE}:WESL_UserSetting
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = S-1-5-32-544
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
return $NTUserSID.Value
}
}
# Get the SID for a user account named Cashier. Rename Cashier to an existing account on your system to test this script.
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID(Cashier)
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell(cmd.exe, $restart_device)
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
`nDefault Shell is set to + $DefaultShellObject.Shell + and the default action is set to + $DefaultShellObject.defaultaction
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for Cashier, and restart the machine if Internet Explorer is closed.
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, c:\program files\internet explorer\iexplore.exe www.microsoft.com, ($null), ($null), $restart_shell)
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, explorer.exe)
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
# View all the custom shells defined.
`nCurrent settings for custom shells:
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
`nEnabled is set to + $IsShellLauncherEnabled.Enabled
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Related topics

2
windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
View File

@ -2,7 +2,7 @@
title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
keywords: ["kiosk", "lockdown", "assigned access"]
keywords: kiosk, lockdown, assigned access
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

1
windows/manage/stop-employees-from-using-the-windows-store.md
View File

@ -5,6 +5,7 @@ ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
---

2
windows/whats-new/applocker.md
View File

@ -2,7 +2,7 @@
title: What's new in AppLocker (Windows 10)
description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F
ms.pagetype: security
ms.pagetype: security, mobile
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library

2
windows/whats-new/bitlocker.md
View File

@ -5,7 +5,7 @@ ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.pagetype: security, mobile
author: brianlic-msft
---

2
windows/whats-new/device-guard-overview.md
View File

@ -2,7 +2,7 @@
title: Device Guard overview (Windows 10)
description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2
ms.pagetype: security
ms.pagetype: mobile, security
keywords: Device Guard
ms.prod: w10
ms.mktglfcycl: explore

1
windows/whats-new/edge-ie11-whats-new-overview.md
View File

@ -5,6 +5,7 @@ ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: mobile
author: eross-msft
---

2
windows/whats-new/edp-whats-new-overview.md
View File

@ -6,7 +6,7 @@ keywords: EDP Overview, EDP
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.pagetype: mobile, security
author: eross-msft
---

2
windows/whats-new/microsoft-passport.md
View File

@ -6,7 +6,7 @@ keywords: password, hello, fingerprint, iris, biometric
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.pagetype: mobile, security
author: jdeckerMS
---

1
windows/whats-new/new-provisioning-packages.md
View File

@ -5,6 +5,7 @@ ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
---

2
windows/whats-new/security-auditing.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
ms.pagetype: security
ms.pagetype: security, mobile
---
# What's new in security auditing?

2
windows/whats-new/trusted-platform-module.md
View File

@ -5,7 +5,7 @@ ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.pagetype: security, mobile
author: brianlic-msft
---

2
windows/whats-new/windows-store-for-business-overview.md
View File

@ -3,7 +3,7 @@ title: Windows Store for Business overview (Windows 10)
description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.prod: w10
ms.pagetype: store
ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa