deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into vso-9235427

Browse Source
This commit is contained in:
Celeste de Guzman 2017-01-25 16:33:10 -08:00
commit 1891d61d3e
21 changed files with 191 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,7 +10,6 @@ Tools/NuGet/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
windows/keep-secure/index.md
# User-specific files
.vs/

1
devices/surface/TOC.md
View File

@ -13,6 +13,7 @@
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

7
devices/surface/change-history-for-surface.md
View File

@ -11,13 +11,18 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
## January 2017
|New or changed topic | Description |
| --- | --- |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New |
## December 2016
|New or changed topic | Description |
| --- | --- |
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
## November 2016
|New or changed topic | Description |

2
devices/surface/index.md
View File

@ -33,7 +33,9 @@ For more information on planning for, deploying, and managing Surface devices in
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
## Learn more
[Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/849/Certifying-Surface-Pro-4-and-Surface-Book-as-standard-devices-at-Microsoft)

1
devices/surface/update.md
View File

@ -16,6 +16,7 @@ Find out how to download and manage the latest firmware and driver updates for y
| Topic | Description |
| --- | --- |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|

56
devices/surface/wake-on-lan-for-surface-devices.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Wake On LAN for Surface devices (Surface)
description: See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically even if the devices are powered down.
keywords: update, deploy, driver, wol, wake-on-lan
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: jobotto
---
# Wake On LAN for Surface devices
Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically even if the devices are powered down. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty.
>[!NOTE]
>Surface devices must be connected to AC power to support WOL.
## Supported devices
The following devices are supported for WOL:
* Surface Book
* Surface Pro 4
* Surface Pro 3
* Surface 3
* Surface Ethernet adapter
* Surface Dock
* Surface Docking Station for Surface Pro 3
## WOL driver
To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This driver is not included in the standard driver and firmware pack for Surface devices you must download and install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
>[!NOTE]
>During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
>**HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests**
To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (**/a**), as shown in the following example, to extract the contents to the C:\WOL\ folder:
`msiexec /a surfacewol.msi targetdir=C:\WOL /qn`
## Using Surface WOL
The Surface WOL driver conforms to the WOL standard, whereby the device is woken by a special network communication known as a magic packet. The magic packet consists of 6 bytes of 255 (or FF in hexadecimal) followed by 16 repetitions of the target computers MAC address. You can read more about the magic packet and the WOL standard on [Wikipedia](https://wikipedia.org/wiki/Wake-on-LAN#Magic_packet).
>[!NOTE]
>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
>[!NOTE]
>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.

BIN
windows/deploy/images/icd-multi-target-true.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deploy/images/icd-multi-targetstate-true.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/deploy/images/multi-target.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

23
windows/deploy/windows-10-poc.md
View File

@ -153,7 +153,7 @@ The lab architecture is summarized in the following diagram:
[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)<BR>
[Download VHD and ISO files](#download-vhd-and-iso-files)<BR>
[Convert PC to VHD](#convert-pc-to-vhd)<BR>
[Convert PC to VM](#convert-pc-to-vm)<BR>
[Resize VHD](#resize-vhd)<BR>
[Configure Hyper-V](#configure-hyper-v)<BR>
[Configure VMs](#configure-vms)<BR>
@ -507,21 +507,18 @@ Notes:<BR>
### Resize VHD
**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
<HR size=4>
**<I>Enhanced session mode</I>**
<<<<<<< HEAD
To verify that enhanced session mode is enabled on your Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
<pre style="overflow-y: visible">Set-VMhost -EnableEnhancedSessionMode $TRUE</pre>
If enhanced session mode was previously disabled, you must close and re-open VM connections after enabling it. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
=======
To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
<pre style="overflow-y: visible">Set-VMhost -EnableEnhancedSessionMode $TRUE</pre>
If enhanced session mode was not previously enabled, you must close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
>>>>>>> vso-7992313a
>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
<HR size=4>
The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
@ -853,9 +850,11 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Copy-VMFile "PC1" SourcePath "C:\VHD\pc1.ps1" DestinationPath "C:\pc1.ps1" CreateFullPath FileSource Host
</pre>
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service.
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. You can also try running the following command from an elevated Windows PowerShell prompt on the Hyper-V host:
<pre style="overflow-y: visible">Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"</pre>
If the copy-vmfile command does not work and you cannot properly upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:

105
windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
View File

@ -17,20 +17,105 @@ author: brianlic-msft
This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
You can use BitLocker to protect your Windows 10 PCs. Whichever operating system youre using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default
settings.
Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg)
<table>
<colgroup>
<col width="20%" />
<col width="25%" />
<col width="55%" />
</colgroup>
<tr>
<td></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 8.1<br>without TPM</strong></font></p></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 8.1 Certified<br>(with TPM)</strong></font></p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication</p></td>
</tr>
</table>
**Figure 2.** How to choose the best countermeasures for Windows 7
**Table 1.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 8.1<br><br>
![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg)
<table>
<colgroup>
<col width="20%" />
<col width="25%" />
<col width="55%" />
</colgroup>
<tr>
<td></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 10<br>without TPM</strong></font></p></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 10 Certified<br>(with TPM)</strong></font></p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; certified devices do not expose vulnerable DMA busses.<br>Can be additionally secured by deploying policy to restrict DMA devices:</p>
<ul>
<li><p><a href="https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#DataProtection_AllowDirectMemoryAccess">DataProtection/AllowDirectMemoryAccess</a></p></li>
<li><p><a href="https://support.microsoft.com/en-us/kb/2516445">Block 1394 and Thunderbolt</a></p></li></ul>
</td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled.<br>The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.</p></td>
</tr>
</table>
**Figure 3.** How to choose the best countermeasures for Windows 8
![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg)
**Figure 4.** How to choose the best countermeasures for Windows 8.1
**Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA portbased attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of
DMA ports is infrequent in the non-developer space.

3
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -79,7 +79,8 @@ The following steps assume that you have completed all the required steps in [Be
<td>Type in the name of the client property file. It must match the client property file.</td>
</tr>
<td>Events URL</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
</br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
<tr>
<td>Authentication Type</td>
<td>OAuth 2</td>

6
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
![Endpoint onboarding](images/atp-onboard-mdm.png)
![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
a. Select **Policy** > **Configuration Policies** > **Add**.
![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png)
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
e. Type the following values then select **OK**:
![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
- **Setting name**: Type a name for the setting.

5
windows/keep-secure/credential-guard.md
View File

@ -48,7 +48,7 @@ The following tables provide more information about the hardware, firmware, and
> [!NOTE]
> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).<br>
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
> Starting in Widows 10, 1607, TPM 2.0 is required.
@ -61,7 +61,7 @@ The following tables provide more information about the hardware, firmware, and
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
@ -917,6 +917,7 @@ write-host $tmp -Foreground Red
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)

2
windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -29,7 +29,7 @@ The credentials are also cleaned up when the WiFi or VPN connection is disconnec
When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
If the app is not UWP, it does not matter.
But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.

BIN
windows/keep-secure/images/atp-add-intune-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/keep-secure/images/atp-mdm-onboarding-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

2
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -54,7 +54,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.

3
windows/keep-secure/windows-defender-advanced-threat-protection.md
View File

@ -93,3 +93,6 @@ Topic | Description
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.
## Related topic
[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)

2
windows/keep-secure/windows-defender-in-windows-10.md
View File

@ -18,7 +18,7 @@ author: jasesso
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings

6
windows/manage/waas-quick-start.md
View File

@ -54,7 +54,11 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
## Video: An overview of Windows as a service
<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
## Learn more
[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
## Related topics