From 1fdb176e4464b5384352393bd1399cdac233b4e5 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Wed, 18 Apr 2018 16:30:34 -0700 Subject: [PATCH 1/3] validated the version for each policy and ensuring RS4 policies were complete --- browsers/edge/available-policies.md | 31 ++++++++++++++++------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 3766535880..1dd3c2d38a 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -27,6 +27,21 @@ Microsoft Edge works with the following Group Policy settings to help you manage Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ +## Allow a shared books folder +>*Supported versions: Windows 10, version 1803* + +This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | +|Data type | Integer | +|Allowed values | | + + ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* @@ -74,7 +89,7 @@ Your browsing data is the information that Microsoft Edge remembers and stores a |Allowed values | | ## Allow configuration updates for the Books Library ->*Supporteded versions: Windows 10* +>*Supporteded versions: Windows 10, version 1803* Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. @@ -118,7 +133,7 @@ F12 developer tools is a suite of tools to help you build and debug your webpage |Allowed values | | ## Allow extended telemetry for the Books tab ->*Supporteded versions: Windows 10* +>*Supporteded versions: Windows 10, version 1803* If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. @@ -598,19 +613,7 @@ This policy setting specifies whether you see an additional page in Microsoft Ed |Data type | Integer | |Allowed values | | -## User shared folder for books ->*Supported versions: Windows 10* -This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | -|Data type | Integer | -|Allowed values | | ## Related topics From be9c9592dd770d70bf76c1e649daf06273e89927 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Fri, 20 Apr 2018 13:14:22 -0700 Subject: [PATCH 2/3] updated the content for SSO conditional access --- .../vpn/vpn-conditional-access.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 26fe73a382..0b9edcf96d 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -51,7 +51,7 @@ The following client-side components are also required: - Trusted Platform Module (TPM) ## VPN device compliance -According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certs to the NTAuth store in on-prem AD, your user's cloud cert will chain and KDC will issue TGT and TGS tickets to them. +According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them. Server-side infrastructure requirements to support VPN device compliance include: @@ -61,6 +61,8 @@ Server-side infrastructure requirements to support VPN device compliance include - Domain servers trust Azure AD CA - A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO) + + After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node. Two client-side configuration service providers are leveraged for VPN device compliance. @@ -77,8 +79,12 @@ Two client-side configuration service providers are leveraged for VPN device com - Provisions the Health Attestation Certificate received from the HAS - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification +>[!NOTE] +>Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD. + + ## Client connection flow -The VPN client side connection flow works as follows: +The VPN client side connection flow works as follows: ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png) @@ -94,13 +100,6 @@ When a VPNv2 Profile is configured with \ \true<\/Ena See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. -The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune. - -![conditional access in profile](images/vpn-conditional-access-intune.png) - ->[!NOTE] ->In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet. - ## Learn more about Conditional Access and Azure AD Health - [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) From 315b0edfdb5e6381e14fbd7387d472956220123a Mon Sep 17 00:00:00 2001 From: Patti Short Date: Fri, 20 Apr 2018 14:13:01 -0700 Subject: [PATCH 3/3] final adjustment of content --- browsers/edge/available-policies.md | 47 ++----------------- .../vpn/vpn-conditional-access.md | 8 +--- 2 files changed, 5 insertions(+), 50 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 1dd3c2d38a..fcdd64629c 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -3,12 +3,13 @@ description: Microsoft Edge works with Group Policy and Microsoft Intune to help ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 author: shortpatti ms.author: pashort +manager: elizapo ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: high -ms.date: 4/5/2018 #Previsou release date 09/13/2017 +ms.date: 4/20/2018 #Previous release date 09/13/2017 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge @@ -27,21 +28,6 @@ Microsoft Edge works with the following Group Policy settings to help you manage Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ -## Allow a shared books folder ->*Supported versions: Windows 10, version 1803* - -This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | -|Data type | Integer | -|Allowed values |
  • **0** - No shared folder.
  • **1** - Use as shared folder.
| - - ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* @@ -88,20 +74,6 @@ Your browsing data is the information that Microsoft Edge remembers and stores a |Data type | Integer | |Allowed values |
  • **0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
  • **1** - Browsing data is cleared on exit.
| -## Allow configuration updates for the Books Library ->*Supporteded versions: Windows 10, version 1803* - -Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowConfigurationUpdateForBooksLibrary ](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary | -|Data type | Integer | -|Allowed values |
  • **0** - Disable. Microsoft Edge cannot retrieve a configuration.
  • **1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.
| - ## Allow Cortana >*Supported versions: Windows 10, version 1607 or later* @@ -132,19 +104,6 @@ F12 developer tools is a suite of tools to help you build and debug your webpage |Data type | Integer | |Allowed values |
  • **0** - The F12 Developer Tools are disabled.
  • **1 (default)** - The F12 Developer Tools are enabled.
| -## Allow extended telemetry for the Books tab ->*Supporteded versions: Windows 10, version 1803* - -If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry | -|Data type | Integer | -|Allowed values |
  • **0 (default)** - Disable. Only basic diagnostic data is sent.
  • **1** - Enable. Both Basic and additional diagnostic data is sent.
| ## Allow Extensions >*Supporteded versions: Windows 10, version 1607 or later* @@ -212,7 +171,7 @@ This policy setting lets you configure what appears when a New Tab page is opene ## Always Enable book library ->*Supporteded versions: Windows 10* +>*Supporteded versions: Windows 10, version 1709 or later* This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 0b9edcf96d..7d22c3efb9 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -7,9 +7,10 @@ ms.sitesec: library ms.pagetype: security, networking author: shortpatti ms.author: pashort +manager: elizapo ms.reviewer: ms.localizationpriority: high -ms.date: 04/17/2018 +ms.date: 04/20/2018 --- # VPN and conditional access @@ -44,7 +45,6 @@ Conditional Access Platform components used for Device Compliance include the fo - Encryption compliance - Device health attestation state (validated against attestation service after query) - The following client-side components are also required: - [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx) - [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings @@ -61,8 +61,6 @@ Server-side infrastructure requirements to support VPN device compliance include - Domain servers trust Azure AD CA - A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO) - - After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node. Two client-side configuration service providers are leveraged for VPN device compliance. @@ -111,9 +109,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/) - ## Related topics - - [VPN technical guide](vpn-guide.md) - [VPN connection types](vpn-connection-type.md) - [VPN routing decisions](vpn-routing.md)