Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into WAreorg
@ -135,6 +135,22 @@
|
||||
"moniker_groups": [],
|
||||
"version": 0
|
||||
},
|
||||
{
|
||||
"docset_name": "privacy",
|
||||
"build_source_folder": "windows/privacy",
|
||||
"build_output_subfolder": "privacy",
|
||||
"locale": "en-us",
|
||||
"monikers": [],
|
||||
"moniker_ranges": [],
|
||||
"open_to_public_contributors": false,
|
||||
"type_mapping": {
|
||||
"Conceptual": "Content",
|
||||
"ManagedReference": "Content",
|
||||
"RestApi": "Content"
|
||||
},
|
||||
"build_entry_point": "docs",
|
||||
"template_folder": "_themes"
|
||||
},
|
||||
{
|
||||
"docset_name": "security",
|
||||
"build_source_folder": "windows/security",
|
||||
|
@ -217,6 +217,7 @@
|
||||
#### [InternetExplorer](policy-csp-internetexplorer.md)
|
||||
#### [Kerberos](policy-csp-kerberos.md)
|
||||
#### [KioskBrowser](policy-csp-kioskbrowser.md)
|
||||
#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
|
||||
#### [Licensing](policy-csp-licensing.md)
|
||||
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
|
||||
#### [Location](policy-csp-location.md)
|
||||
|
@ -2535,7 +2535,6 @@ The following list shows the configuration service providers supported in Window
|
||||
| [DeveloperSetup CSP](developersetup-csp.md) |  | 2 (Provisioning only)|
|
||||
| [DeviceStatus CSP](devicestatus-csp.md) |  |  |
|
||||
| [DevInfo CSP](devinfo-csp.md) |  |  |
|
||||
| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |
|
||||
| [DMAcc CSP](dmacc-csp.md) |  |  |
|
||||
| [DMClient CSP](dmclient-csp.md) |  |  |
|
||||
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |
|
||||
|
@ -10,7 +10,7 @@ ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: nickbrower
|
||||
ms.date: 03/03/2018
|
||||
ms.date: 03/15/2018
|
||||
---
|
||||
|
||||
# What's new in MDM enrollment and management
|
||||
@ -30,6 +30,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
||||
- [What's new in Windows 10, version 1607](#whatsnew1607)
|
||||
- [What's new in Windows 10, version 1703](#whatsnew10)
|
||||
- [What's new in Windows 10, version 1709](#whatsnew1709)
|
||||
- [What's new in Windows 10, version 1803](#whatsnew1803)
|
||||
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
|
||||
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
|
||||
- [Get command inside an atomic command is not supported](#getcommand)
|
||||
@ -1124,6 +1125,230 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
## <a href="" id="whatsnew1803"></a>What's new in Windows 10, version 1803
|
||||
|
||||
<table class="mx-tdBreakAll">
|
||||
<colgroup>
|
||||
<col width="25%" />
|
||||
<col width="75%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th>New or updated topic</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration</li>
|
||||
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold</li>
|
||||
<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter</li>
|
||||
<li>ApplicationDefaults/EnableAppUriHandlers</li>
|
||||
<li>Browser/AllowConfigurationUpdateForBooksLibrary</li>
|
||||
<li>Browser/AlwaysEnableBooksLibrary</li>
|
||||
<li>Browser/EnableExtendedBooksTelemetry</li>
|
||||
<li>Browser/UseSharedFolderForBooks</li>
|
||||
<li>Connectivity/AllowPhonePCLinking</li>
|
||||
<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp</li>
|
||||
<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp</li>
|
||||
<li>DeliveryOptimization/DOGroupIdSource</li>
|
||||
<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth</li>
|
||||
<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth</li>
|
||||
<li>DeliveryOptimization/DORestrictPeerSelectionBy</li>
|
||||
<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth</li>
|
||||
<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth</li>
|
||||
<li>Display/DisablePerProcessDpiForApps</li>
|
||||
<li>Display/EnablePerProcessDpi</li>
|
||||
<li>Display/EnablePerProcessDpiForApps</li>
|
||||
<li>Experience/AllowWindowsSpotlightOnSettings</li>
|
||||
<li>KioskBrowser/BlockedUrlExceptions</li>
|
||||
<li>KioskBrowser/BlockedUrls</li>
|
||||
<li>KioskBrowser/DefaultURL</li>
|
||||
<li>KioskBrowser/EnableHomeButton</li>
|
||||
<li>KioskBrowser/EnableNavigationButtons</li>
|
||||
<li>KioskBrowser/RestartOnIdleTime</li>
|
||||
<li>LanmanWorkstation/EnableInsecureGuestLogons</li>
|
||||
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
|
||||
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
|
||||
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
|
||||
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
|
||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
|
||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
|
||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</li>
|
||||
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
|
||||
<li>LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</li>
|
||||
<li>LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</li>
|
||||
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
|
||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</li>
|
||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
|
||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
|
||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
|
||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
|
||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
|
||||
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
|
||||
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
|
||||
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
|
||||
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
|
||||
<li>RestrictedGroups/ConfigureGroupMembership</li>
|
||||
<li>Search/AllowCortanaInAAD</li>
|
||||
<li>Search/DoNotUseWebResults</li>
|
||||
<li>Security/ConfigureWindowsPasswords</li>
|
||||
<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally</li>
|
||||
<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode</li>
|
||||
<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode</li>
|
||||
<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</li>
|
||||
<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</li>
|
||||
<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</li>
|
||||
<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</li>
|
||||
<li>TaskScheduler/EnableXboxGameSaveTask</li>
|
||||
<li>TextInput/AllowHardwareKeyboardTextSuggestions</li>
|
||||
<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</li>
|
||||
<li>TextInput/ForceTouchKeyboardDockedState</li>
|
||||
<li>TextInput/TouchKeyboardDictationButtonAvailability</li>
|
||||
<li>TextInput/TouchKeyboardEmojiButtonAvailability</li>
|
||||
<li>TextInput/TouchKeyboardFullModeAvailability</li>
|
||||
<li>TextInput/TouchKeyboardHandwritingModeAvailability</li>
|
||||
<li>TextInput/TouchKeyboardNarrowModeAvailability</li>
|
||||
<li>TextInput/TouchKeyboardSplitModeAvailability</li>
|
||||
<li>TextInput/TouchKeyboardWideModeAvailability</li>
|
||||
<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
|
||||
<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
|
||||
<li>UserRights/AccessFromNetwork</li>
|
||||
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
|
||||
<li>UserRights/AllowLocalLogOn</li>
|
||||
<li>UserRights/BackupFilesAndDirectories</li>
|
||||
<li>UserRights/ChangeSystemTime</li>
|
||||
<li>UserRights/CreateGlobalObjects</li>
|
||||
<li>UserRights/CreatePageFile</li>
|
||||
<li>UserRights/CreatePermanentSharedObjects</li>
|
||||
<li>UserRights/CreateSymbolicLinks</li>
|
||||
<li>UserRights/CreateToken</li>
|
||||
<li>UserRights/DebugPrograms</li>
|
||||
<li>UserRights/DenyAccessFromNetwork</li>
|
||||
<li>UserRights/DenyLocalLogOn</li>
|
||||
<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
|
||||
<li>UserRights/EnableDelegation</li>
|
||||
<li>UserRights/GenerateSecurityAudits</li>
|
||||
<li>UserRights/ImpersonateClient</li>
|
||||
<li>UserRights/IncreaseSchedulingPriority</li>
|
||||
<li>UserRights/LoadUnloadDeviceDrivers</li>
|
||||
<li>UserRights/LockMemory</li>
|
||||
<li>UserRights/ManageAuditingAndSecurityLog</li>
|
||||
<li>UserRights/ManageVolume</li>
|
||||
<li>UserRights/ModifyFirmwareEnvironment</li>
|
||||
<li>UserRights/ModifyObjectLabel</li>
|
||||
<li>UserRights/ProfileSingleProcess</li>
|
||||
<li>UserRights/RemoteShutdown</li>
|
||||
<li>UserRights/RestoreFilesAndDirectories</li>
|
||||
<li>UserRights/TakeOwnership</li>
|
||||
<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI</li>
|
||||
<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</li>
|
||||
<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</li>
|
||||
<li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
|
||||
<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
|
||||
</ul>
|
||||
<p>Security/RequireDeviceEncrption - updated to show it is supported in desktop.</p>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>AADSendDeviceToken</li>
|
||||
<li>BlockInStatusPage</li>
|
||||
<li>AllowCollectLogsButton</li>
|
||||
<li>CustomErrorText</li>
|
||||
<li>SkipDeviceStatusPage</li>
|
||||
<li>SkipUserStatusPage</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>AutomaticRedeployment</li>
|
||||
<li>doAutomaticRedeployment</li>
|
||||
<li>LastError</li>
|
||||
<li>Status</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[UEFI CSP](uefi-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[Update CSP](update-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>Rollback</li>
|
||||
<li>Rollback/FeatureUpdate</li>
|
||||
<li>Rollback/QualityUpdateStatus</li>
|
||||
<li>Rollback/FeatureUpdateStatus</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>Status</li>
|
||||
<li>ShellLauncher</li>
|
||||
<li>StatusConfiguration</li>
|
||||
</ul>
|
||||
<p>Updated the AssigneAccessConfiguration schema.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>MaintainProcessorArchitectureOnUpdate</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr>
|
||||
<td style="vertical-align:top">[eUICCs CSP](euiccs-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>IsEnabled</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr>
|
||||
<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
|
||||
<ul>
|
||||
<li>OS/Mode</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
</td></tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
## Breaking changes and known issues
|
||||
|
||||
### <a href="" id="getcommand"></a>Get command inside an atomic command is not supported
|
||||
@ -1431,6 +1656,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
||||
<ul>
|
||||
<li>ApplicationDefaults/EnableAppUriHandlers</li>
|
||||
<li>Connectivity/AllowPhonePCLinking</li>
|
||||
<li>RestrictedGroups/ConfigureGroupMembership</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
</tbody>
|
||||
|
@ -1906,6 +1906,14 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
### LanmanWorkstation policies
|
||||
|
||||
<dl>
|
||||
<dd>
|
||||
<a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
### Licensing policies
|
||||
|
||||
<dl>
|
||||
|
106
windows/client-management/mdm/policy-csp-lanmanworkstation.md
Normal file
@ -0,0 +1,106 @@
|
||||
---
|
||||
title: Policy CSP - LanmanWorkstation
|
||||
description: Policy CSP - LanmanWorkstation
|
||||
ms.author: maricia
|
||||
ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: nickbrower
|
||||
ms.date: 03/16/2018
|
||||
---
|
||||
|
||||
# Policy CSP - LanmanWorkstation
|
||||
|
||||
> [!WARNING]
|
||||
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--Policies-->
|
||||
## LanmanWorkstation policies
|
||||
|
||||
<dl>
|
||||
<dd>
|
||||
<a href="#lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--Policy-->
|
||||
<a href="" id="lanmanworkstation-enableinsecureguestlogons"></a>**LanmanWorkstation/EnableInsecureGuestLogons**
|
||||
|
||||
<!--SupportedSKUs-->
|
||||
<table>
|
||||
<tr>
|
||||
<th>Home</th>
|
||||
<th>Pro</th>
|
||||
<th>Business</th>
|
||||
<th>Enterprise</th>
|
||||
<th>Education</th>
|
||||
<th>Mobile</th>
|
||||
<th>Mobile Enterprise</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<!--/SupportedSKUs-->
|
||||
<!--Scope-->
|
||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
||||
|
||||
> [!div class = "checklist"]
|
||||
> * Device
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
|
||||
|
||||
If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
|
||||
|
||||
If you disable this policy setting, the SMB client will reject insecure guest logons.
|
||||
|
||||
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.
|
||||
|
||||
<!--/Description-->
|
||||
<!--ADMXMapped-->
|
||||
ADMX Info:
|
||||
- GP English name: *Enable insecure guest logons*
|
||||
- GP name: *Pol_EnableInsecureGuestLogons*
|
||||
- GP ADMX file name: *LanmanWorkstation.admx*
|
||||
|
||||
<!--/ADMXMapped-->
|
||||
<!--SupportedValues-->
|
||||
This setting supports a range of values between 0 and 1.
|
||||
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--Example-->
|
||||
|
||||
<!--/Example-->
|
||||
<!--Validation-->
|
||||
|
||||
<!--/Validation-->
|
||||
<!--/Policy-->
|
||||
<hr/>
|
||||
|
||||
Footnote:
|
||||
|
||||
- 1 - Added in Windows 10, version 1607.
|
||||
- 2 - Added in Windows 10, version 1703.
|
||||
- 3 - Added in Windows 10, version 1709.
|
||||
- 4 - Added in Windows 10, version 1803.
|
||||
|
||||
<!--/Policies-->
|
||||
|
@ -6,7 +6,7 @@ ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: nickbrower
|
||||
ms.date: 01/12/2018
|
||||
ms.date: 03/15/2018
|
||||
---
|
||||
|
||||
# Policy CSP - RestrictedGroups
|
||||
@ -17,20 +17,22 @@ ms.date: 01/12/2018
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--StartPolicies-->
|
||||
<!--Policies-->
|
||||
## RestrictedGroups policies
|
||||
|
||||
<dl>
|
||||
<dd>
|
||||
<a href="policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership" id="restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
|
||||
<a href="#restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
|
||||
<hr/>
|
||||
<!--StartPolicy-->
|
||||
|
||||
<!--Policy-->
|
||||
<a href="" id="restrictedgroups-configuregroupmembership"></a>**RestrictedGroups/ConfigureGroupMembership**
|
||||
|
||||
<!--StartSKU-->
|
||||
<!--SupportedSKUs-->
|
||||
<table>
|
||||
<tr>
|
||||
<th>Home</th>
|
||||
@ -47,13 +49,13 @@ ms.date: 01/12/2018
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<!--EndSKU-->
|
||||
<!--StartScope-->
|
||||
<!--/SupportedSKUs-->
|
||||
<!--Scope-->
|
||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
||||
|
||||
> [!div class = "checklist"]
|
||||
@ -61,19 +63,13 @@ ms.date: 01/12/2018
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--EndScope-->
|
||||
<!--StartDescription-->
|
||||
This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
|
||||
|
||||
> [!Note]
|
||||
> This policy is only scoped to the Administrators group at this time.
|
||||
Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
|
||||
|
||||
Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
|
||||
|
||||
> [!Note]
|
||||
> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
|
||||
|
||||
<!--EndDescription-->
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
|
||||
<!--/SupportedValues-->
|
||||
@ -83,7 +79,7 @@ Using the policy, you can specify what members are part of a group. Any members
|
||||
<!--Validation-->
|
||||
|
||||
<!--/Validation-->
|
||||
<!--EndPolicy-->
|
||||
<!--/Policy-->
|
||||
<hr/>
|
||||
|
||||
Footnote:
|
||||
@ -91,6 +87,7 @@ Footnote:
|
||||
- 1 - Added in Windows 10, version 1607.
|
||||
- 2 - Added in Windows 10, version 1703.
|
||||
- 3 - Added in Windows 10, version 1709.
|
||||
- 4 - Added in Windows 10, version 1803.
|
||||
|
||||
<!--EndPolicies-->
|
||||
<!--/Policies-->
|
||||
|
||||
|
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.localizationpriority: high
|
||||
ms.sitesec: library
|
||||
ms.date: 01/10/2018
|
||||
ms.date: 03/16/2018
|
||||
author: greg-lindsay
|
||||
---
|
||||
|
||||
@ -36,7 +36,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
|
||||
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
|
||||
</td>
|
||||
<td align="center" style="width:16%; border:1;">
|
||||
<a href="https://docs.microsoft.com/en-us/windows/deployment/windows-10-autopilot">Overview of Windows AutoPilot</a>
|
||||
<a href="https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot">Overview of Windows AutoPilot</a>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
1
windows/privacy/TOC.md
Normal file
@ -0,0 +1 @@
|
||||
# [Index](index.md)
|
3
windows/privacy/breadcrumb/toc.yml
Normal file
@ -0,0 +1,3 @@
|
||||
- name: Docs
|
||||
tocHref: /
|
||||
topicHref: /
|
46
windows/privacy/docfx.json
Normal file
@ -0,0 +1,46 @@
|
||||
{
|
||||
"build": {
|
||||
"content": [
|
||||
{
|
||||
"files": [
|
||||
"**/*.md",
|
||||
"**/*.yml"
|
||||
],
|
||||
"exclude": [
|
||||
"**/obj/**",
|
||||
"**/includes/**",
|
||||
"_themes/**",
|
||||
"_themes.pdf/**",
|
||||
"README.md",
|
||||
"LICENSE",
|
||||
"LICENSE-CODE",
|
||||
"ThirdPartyNotices"
|
||||
]
|
||||
}
|
||||
],
|
||||
"resource": [
|
||||
{
|
||||
"files": [
|
||||
"**/*.png",
|
||||
"**/*.jpg"
|
||||
],
|
||||
"exclude": [
|
||||
"**/obj/**",
|
||||
"**/includes/**",
|
||||
"_themes/**",
|
||||
"_themes.pdf/**"
|
||||
]
|
||||
}
|
||||
],
|
||||
"overwrite": [],
|
||||
"externalReference": [],
|
||||
"globalMetadata": {
|
||||
"breadcrumb_path": "/windows/privacy/breadcrumb/toc.json",
|
||||
"extendBreadcrumb": true
|
||||
},
|
||||
"fileMetadata": {},
|
||||
"template": [],
|
||||
"dest": "privacy",
|
||||
"markdownEngineName": "markdig"
|
||||
}
|
||||
}
|
1
windows/privacy/index.md
Normal file
@ -0,0 +1 @@
|
||||
# Welcome to privacy!
|
@ -94,7 +94,7 @@ For many years, Microsoft has recommended using pre-boot authentication to prote
|
||||
|
||||
Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
|
||||
|
||||
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later Modern Standby devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-Modern Standby Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
|
||||
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
|
||||
Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
|
||||
|
||||
You can mitigate the risk of booting to a malicious operating system:
|
||||
|
After Width: | Height: | Size: 33 KiB |
After Width: | Height: | Size: 5.8 KiB |
After Width: | Height: | Size: 65 KiB |
After Width: | Height: | Size: 3.8 KiB |
After Width: | Height: | Size: 25 KiB |
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 30 KiB |
After Width: | Height: | Size: 24 KiB |
After Width: | Height: | Size: 3.1 KiB |
@ -9,7 +9,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
ms.date: 10/23/2017
|
||||
ms.date: 03/16/2018
|
||||
---
|
||||
# Create and build Power BI reports using Windows Defender ATP data
|
||||
|
||||
@ -32,33 +32,94 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
|
||||
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
|
||||
|
||||
You can easily get started by:
|
||||
- Creating a dashboard on the Power BI service
|
||||
- Creating a dashboard on the Power BI service:
|
||||
- From the Windows Defender ATP portal or
|
||||
- From the Power BI portal
|
||||
- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
|
||||
|
||||
You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported.
|
||||
|
||||
## Create a Windows Defender ATP dashboard on Power BI service
|
||||
## Create a Power BI dashboard from the Windows Defender ATP portal
|
||||
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
|
||||
|
||||
1. In the navigation pane, select **Preferences setup** > **Power BI reports**.
|
||||
|
||||
2. Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization.
|
||||
|
||||

|
||||
|
||||
2. Click **Create dashboard**. You'll see a notification that things are being loaded.
|
||||
|
||||

|
||||
|
||||
|
||||
3. Specify the following details:
|
||||
- **extensionDataSourceKind**: WDATPConnector
|
||||
- **extensionDataSourcePath**: WDATPConnector
|
||||
- **Authentication method**: OAuth2
|
||||
|
||||

|
||||
|
||||
4. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
|
||||
|
||||

|
||||
|
||||
5. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
|
||||
|
||||

|
||||
|
||||
>[!NOTE]
|
||||
>Loading your data in the Power BI service can take a few minutes.
|
||||
>Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
|
||||
|
||||
3. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
|
||||
When importing data is completed and the dataset is ready, you’ll the following notification:
|
||||
|
||||

|
||||

|
||||
|
||||
4. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph.
|
||||
6. Click **View dataset** to explore your data.
|
||||
|
||||
When the dashboard is ready, you’ll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard.
|
||||
|
||||
For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
|
||||
|
||||
|
||||
## Create a Power BI dashboard from the Power BI portal
|
||||
|
||||
1. Login to [Power BI](https://powerbi.microsoft.com/).
|
||||
|
||||
2. Click **Get Data**.
|
||||
|
||||
3. Select **Microsoft AppSource** > **My Organization** > **Get**.
|
||||
|
||||

|
||||
|
||||
4. In the AppSource window, select **Apps** and search for Windows Defender Advanced Threat Protection.
|
||||
|
||||

|
||||
|
||||
5. Click **Get it now**.
|
||||
|
||||
6. Specify the following details:
|
||||
- **extensionDataSourceKind**: WDATPConnector
|
||||
- **extensionDataSourcePath**: WDATPConnector
|
||||
- **Authentication method**: OAuth2
|
||||
|
||||

|
||||
|
||||
7. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
|
||||
|
||||

|
||||
|
||||
8. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
|
||||
|
||||

|
||||
|
||||
>[!NOTE]
|
||||
>Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
|
||||
|
||||
When importing data is completed and the dataset is ready, you’ll the following notification:
|
||||
|
||||

|
||||
|
||||
9. Click **View dataset** to explore your data.
|
||||
|
||||
|
||||
## Build a custom Windows Defender ATP dashboard in Power BI Desktop
|
||||
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
|
||||
|
||||
@ -93,9 +154,9 @@ After completing the steps in the Before you begin section, you can proceed with
|
||||
|
||||
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
|
||||
|
||||
2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
|
||||
2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
|
||||
|
||||

|
||||

|
||||
|
||||
3. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
|
||||
|
||||
@ -112,9 +173,9 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash
|
||||
|
||||

|
||||
|
||||
4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
|
||||
4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
|
||||
|
||||

|
||||

|
||||
|
||||
5. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
|
||||
|
||||
|