mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 10:53:43 +00:00
Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into 8284704
This commit is contained in:
JanKeller1
@ -23,7 +23,7 @@ The TPM Services Group Policy settings are located at:
|
||||
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
|
||||
|
||||
| Setting | Windows 10, version 1607 | Windows 10, version 1511 and Windows 10, version 1507 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista |
|
||||
| - | - | - | - | - | - |
|
||||
| - | - | - | - | - | - | - |
|
||||
| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | | X| X| X| X| X|
|
||||
| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| X|
|
||||
| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| X|
|
||||
@ -32,21 +32,28 @@ The TPM Services Group Policy settings are located at:
|
||||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
|
||||
| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
|
||||
| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
|
||||
|
||||
|
||||
### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services
|
||||
|
||||
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
|
||||
|
||||
>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
|
||||
|
||||
>[!NOTE]
|
||||
>This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
|
||||
|
||||
|
||||
TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
|
||||
|
||||
>**Important:** To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
|
||||
>[!IMPORTANT]
|
||||
>To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
|
||||
|
||||
If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
|
||||
|
||||
If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
|
||||
|
||||
>[!NOTE]
|
||||
> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
|
||||
|
||||
|
||||
### <a href="" id="bkmk-tpmgp-clbtc"></a>Configure the list of blocked TPM commands
|
||||
|
||||
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
|
||||
|
||||
@ -168,11 +168,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server
|
||||
|
||||
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
|
||||
|
||||
-and-
|
||||
|
||||
1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
|
||||
2. Double-click **Certificate Path Validation Settings**.
|
||||
3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
|
||||
4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
|
||||
|
||||
-or-
|
||||
|
||||
- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1.
|
||||
|
||||
-or-
|
||||
-and-
|
||||
|
||||
1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
|
||||
2. Double-click **Certificate Path Validation Settings**.
|
||||
@ -183,6 +190,9 @@ On Windows Server 2016 Nano Server:
|
||||
|
||||
- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1.
|
||||
|
||||
>[!NOTE]
|
||||
>CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
|
||||
|
||||
### <a href="" id="bkmk-cortana"></a>2. Cortana and Search
|
||||
|
||||
Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683).
|
||||
@ -609,7 +619,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
|
||||
|
||||
Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
|
||||
|
||||
@ -943,6 +953,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t
|
||||
|
||||
- Turn off the feature in the UI.
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
|
||||
|
||||
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
|
||||
|
||||
- Turn off the feature in the UI.
|
||||
@ -1035,13 +1049,15 @@ To turn off **Let apps run in the background**:
|
||||
|
||||
- Turn off the feature in the UI for each app.
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
### <a href="" id="bkmk-spp"></a>17. Software Protection Platform
|
||||
|
||||
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
|
||||
|
||||
For Windows 10:
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
|
||||
|
||||
-or-
|
||||
|
||||
@ -1049,7 +1065,7 @@ For Windows 10:
|
||||
|
||||
For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
|
||||
|
||||
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
|
||||
|
||||
|
||||
@ -283,17 +283,10 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
|
||||
|
||||
1. Open a command prompt as an administrator.
|
||||
2. Enter the following command.
|
||||
<span codelanguage=""></span>
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="100%" />
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><pre><code>Dism /online /Enable-Feature /FeatureName:Client-EmbeddedShellLauncher</code></pre></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
```
|
||||
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
|
||||
```
|
||||
|
||||
**To set your custom shell**
|
||||
|
||||
|
||||
Reference in New Issue
Block a user