deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

from master

Browse Source
This commit is contained in:
Joey Caparas
2018-04-02 16:04:00 -07:00
parent 9da03cb424 31d9b7b47f
commit 1761d93040
43 changed files with 1616 additions and 1156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -1,5 +1,5 @@
---
title: Hybrid Key trust Windows Hello for Business Prerequistes (Windows Hello for Business)
title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Prerequisites for Hybrid Windows Hello for Business Deployments
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10

2
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -72,7 +72,7 @@ The table shows the minimum requirements for each deployment.
## Frequently Asked Questions
### Can I deploy Windows Hello for Business using System Center Configuration Manager?
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deploymnet model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager wil no long be supported after November 2018.
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
### What is the password-less strategy?

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -284,7 +284,7 @@ If box **2a** reads **GP** and box **2b** reads **modern management**, write **A
| Web Server | NDES |
| CEP Encryption | NDES |
If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FS RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
| Certificate Template Name | Issued To |
| --- | --- |

2
windows/security/identity-protection/hello-for-business/toc.md
View File

@ -22,7 +22,7 @@
#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
#### [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
#### [New Installation Baseline](hello-hybrid-cert-new-install.md)
#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)

14
windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
View File

@ -1,5 +1,5 @@
---
title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10)
title: Open the Group Policy Management Console to Windows Defender Firewall (Windows 10)
description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.prod: w10
@ -7,10 +7,10 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
ms.date: 04/02/2017
---
# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
# Open the Group Policy Management Console to Windows Defender Firewall
**Applies to**
- Windows 10
@ -18,10 +18,8 @@ ms.date: 08/17/2017
To open a GPO to Windows Defender Firewall:
1. Open the Active Directory Users and Computers console.
1. Open the Group Policy Management console.
2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
3. Click the **Group Policy** tab, select your GPO, and then click **Edit**.
4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.
3. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.

2
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -62,7 +62,7 @@ WIP provides:
- Additional data protection for existing line-of-business apps without a need to update the apps.
- Ability to wipe corporate data from devices while leaving personal data alone.
- Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
- Use of audit reports for tracking issues and remedial actions.

12
windows/security/threat-protection/applocker/configure-the-application-identity-service.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
ms.date: 09/21/2017
ms.date: 04/02/2018
---
# Configure the Application Identity service
@ -38,4 +38,12 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
3. Verify that the status for the Application Identity service is **Running**.
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic**.
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead:
- Open an elevated commnad prompt or PowerShell session and type:
```powershell
sc.exe config appidsvc start= auto
```
- Create a security template that configures appidsvc to be automatic start, and apply it using secedit.exe or LGPO.exe.

2
windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
View File

@ -146,7 +146,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
1. If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml UserPEs`

4
windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
View File

@ -105,13 +105,13 @@ Table 3. Windows Defender Application Control policy - file rule levels
| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
> **Note**  When you create WDAC policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> **Note**  When you create WDAC policies with the [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
## Example of file rule levels in use
For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the WDAC policy so that the hash in the policy matches the hash of the updated internal application.

4
windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
View File

@ -797,7 +797,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
2. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a new WDAC policy by scanning the system for installed applications:
2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications:
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy UserPEs 3> CIPolicyLog.txt `
@ -887,7 +887,7 @@ Use the following procedure after you have been running a computer with a WDAC p
` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
3. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy UserPEs 3> CIPolicylog.txt`

2
windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
View File

@ -29,7 +29,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
It is advisable to set **Account lockout duration** to approximately 30 minutes. To specify that the account will never be locked out, set the value to 0. To configure the value for this policy setting so that it never automatically unlocks the account might seem like a good idea; however, doing so can increase the number of requests that your organizations Help Desk receives to unlock accounts that were locked by mistake.
It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the Account lockout threshold value to 0.
### Location